jumbojett · samuelwei · Apr 28, 2025 · Apr 28, 2025 · Apr 29, 2025 · Apr 29, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Stop adding ?schema=openid to userinfo endpoint URL. #449
 
 ### Fixed
+- Fix missing `iat` verification when verifying JWT #476
 - Check existence of subject when verifying JWT #474
 
 ## [1.0.1] - 2024-09-13

diff --git a/src/OpenIDConnectClient.php b/src/OpenIDConnectClient.php
@@ -1214,6 +1214,7 @@ protected function verifyJWTClaims($claims, ?string $accessToken = null): bool
             && (!isset($claims->nonce) || $claims->nonce === $this->getNonce())
             && ( !isset($claims->exp) || ((is_int($claims->exp)) && ($claims->exp >= time() - $this->leeway)))
             && ( !isset($claims->nbf) || ((is_int($claims->nbf)) && ($claims->nbf <= time() + $this->leeway)))
+            && ( isset($claims->iat) && is_int($claims->iat))
             && ( !isset($claims->at_hash) || !isset($accessToken) || $claims->at_hash === $expected_at_hash )
         );
     }

diff --git a/tests/OpenIDConnectClientTest.php b/tests/OpenIDConnectClientTest.php
@@ -30,6 +30,7 @@ public function getIdTokenPayload()
             'aud' => 'client-id',
             'iss' => 'issuer',
             'sub' => 'sub',
+            'iat' => time(),
         ]);
         self::assertTrue($valid);
 
@@ -38,6 +39,7 @@ public function getIdTokenPayload()
             'aud' => ['client-id'],
             'iss' => 'issuer',
             'sub' => 'sub',
+            'iat' => time(),
         ]);
         self::assertTrue($valid);
 
@@ -46,6 +48,24 @@ public function getIdTokenPayload()
             'aud' => ['ipsum'],
             'iss' => 'issuer',
             'sub' => 'sub',
+            'iat' => time(),
+        ]);
+        self::assertFalse($valid);
+
+        # iat missing
+        $valid = $client->testVerifyJWTClaims((object)[
+            'aud' => ['client-id'],
+            'iss' => 'issuer',
+            'sub' => 'sub',
+        ]);
+        self::assertFalse($valid);
+
+        # iat invalid
+        $valid = $client->testVerifyJWTClaims((object)[
+            'aud' => ['client-id'],
+            'iss' => 'issuer',
+            'sub' => 'sub',
+            'iat' => 'invalid'
         ]);
         self::assertFalse($valid);
 
@@ -127,6 +147,7 @@ public function testAuthenticateDoesNotThrowExceptionIfClaimsIsMissingNonce()
         $fakeClaims->iss = 'fake-issuer';
         $fakeClaims->aud = 'fake-client-id';
         $fakeClaims->sub = 'fake-sub';
+        $fakeClaims->iat = time();
         $fakeClaims->nonce = null;
 
         $_REQUEST['id_token'] = 'abc.123.xyz';