hydra JWT access tokens contain the “not before” claim and with the same value as “issued at”.
Example:
{
“exp”: 1565861736,
“iat”: 1565858136,
“nbf”: 1565858136,
…
}
This could lead to failing validations, if a resource server hasn’t the correct time set or has some seconds clock skew which but strict “not before” validation.
In addition, I think there is no point to set “nor before” to the “issued at” timestamp. This claim seems to be intended for use cases where a future date is given, so that a client can not use a token immediately (e.g. a subscription starts tomorrow and can not be used directly after token creation, see https://stackoverflow.com/questions/43291659/usage-of-nbf-in-json-web-tokens).
According to https://tools.ietf.org/html/rfc7519#section-4.1.5 the nbf claim is optional. Other implementations do not provide a “nbf” claim. Or they provide one which is set to value 0.
Can “nbf” be removed by configuration? Is there a chance to have a default behavior of hydra changed to a token without the nbf claim?