fix: reject jwt-bearer assertions with future iat claim

[SAY-5]

Rejects urn:ietf:params:oauth:grant-type:jwt-bearer assertions whose iat claim is in the future. Previously the max-duration check used exp - iat, so a token with iat set far ahead would always satisfy the bound regardless of exp.

Related Issue or Design Document

Closes #853

Checklist

• I have read the contributing guidelines and signed the CLA.
• I have referenced an issue containing the design document if my change introduces a new feature.
• I have read the security policy.
• I confirm that this pull request does not address a security vulnerability.
  If this pull request addresses a security vulnerability,
  I confirm that I got approval (please contact security@ory.sh) from the maintainers to push the changes.
• I have added tests that prove my fix is effective or that my feature works.
• I have added the necessary documentation within the code base (if appropriate).

Further comments

The bug is described in the public issue #853 (open since April 2025); the reporter notes the implications are minor (long-lived JTIs accumulating in storage). The fix mirrors the existing nbf validation pattern in the same function.

Summary by CodeRabbit

• Bug Fixes

  • JWT validation now rejects assertions whose "issued-at" (iat) claim is set in the future, preventing acceptance of improperly timestamped tokens and improving authentication correctness.

• Tests

  • Added test coverage to verify JWT assertions with future-dated "iat" claims are correctly rejected.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 3339c606-9fa8-4878-aa50-04e1e3103128

📥 Commits

Reviewing files that changed from the base of the PR and between c3d52c8 and 5587dd9.

📒 Files selected for processing (2)

• handler/rfc7523/handler.go
• handler/rfc7523/handler_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• handler/rfc7523/handler_test.go

---

📝 Walkthrough

Walkthrough

This PR rejects JWT assertions whose iat (issued-at) claim is after the current time in validateTokenClaims, and adds a test that asserts HandleTokenEndpointRequest fails with fosite.ErrInvalidGrant and a hint mentioning the future iat.

Changes

JWT issued-at future timestamp validation

Layer / File(s)	Summary
Future issued-at validation handler/rfc7523/handler.go, handler/rfc7523/handler_test.go	validateTokenClaims now rejects assertions when iat is present and its timestamp exceeds the current time, returning fosite.ErrInvalidGrant. New test TestAssertionWithIssueDateInFuture verifies HandleTokenEndpointRequest rejects future-dated JWTs and includes an RFC6749 hint about the iat value. File header years updated from 2025 → 2026.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: rejecting JWT-bearer assertions with future iat claims, which is the primary objective of the changeset.
Description check	✅ Passed	The description adequately explains the bug fix, references the related issue #853, and includes completed checklist items demonstrating CLA signature, policy review, and test additions.
Linked Issues check	✅ Passed	The changes fully address issue #853 by adding validation to reject JWTs with future iat claims, computing duration using current time rather than iat, and mirroring the existing nbf validation pattern.
Out of Scope Changes check	✅ Passed	All changes are directly related to the linked issue objective: handler.go implements iat validation logic, handler_test.go adds a test case, and copyright headers are updated as standard practice.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}