Skip to content

IssuedAt claim is not verified when jwt.WithIssuedAt() option is given to Parser #489

New issue
New issue
Open
Open
IssuedAt claim is not verified when jwt.WithIssuedAt() option is given to Parser#489
@ahola-ookla

Description

@ahola-ookla
ahola-ookla
opened on Dec 8, 2025

In jwt/validator.go, the validation logic for IssuedAt is:

	// Check issued-at if the option is enabled
	if v.verifyIat {
		if err = v.verifyIssuedAt(claims, now, false); err != nil {
			errs = append(errs, err)
		}
	}

Because the last parameter to v.verifyIssuedAt(claims, now, false) is false, IssuedAt is not verified even if v.verifyIat is true.

The correct logic is to use v.verifyIssuedAt(claims, now, true).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions