World Coin IAT doesn't follow JSON Web Token RFC

Question

World Coin IAT doesn't follow JSON Web Token RFC

Closed this issue a year ago · 1 comments

World Coin's SSO sends a JSON Web Token that has an IAT in milliseconds from Epoch but the standard is to use seconds from Epoch. This is causing incompatibility with OIDC libraries (specifically pyoidc).

See: https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.6

4.1.6. "iat" (Issued At) Claim
The "iat" (issued at) claim identifies the time at which the JWT was
issued. This claim can be used to determine the age of the JWT. Its
value MUST be a number containing a NumericDate value. Use of this
claim is OPTIONAL.

And definition of NumericDate:

NumericDate
A JSON numeric value representing the number of seconds from
1970-01-01T00:00:00Z UTC until the specified UTC date/time,
ignoring leap seconds. This is equivalent to the IEEE Std 1003.1,
2013 Edition [POSIX.1] definition "Seconds Since the Epoch", in
which each day is accounted for by exactly 86400 seconds, other
than that non-integer values can be represented. See RFC 3339
[RFC3339] for details regarding date/times in general and UTC in
particular.

Answer 1 · 2023-08-18T07:47:12.000Z

thx for reporting @chrislondon, this is now fixed.