Hi,
even if there is an exp property on the token, the code verify the iat property (issued at) + OIDC_LEEWAY. Even if no OIDC_LEEWAY configured by the usr since there is a default.
This is lead to a lot of confusion in our team. Should this really be the default behavior? And if yes maybe it can be better documented?
Hi,
even if there is an exp property on the token, the code verify the iat property (issued at) + OIDC_LEEWAY. Even if no OIDC_LEEWAY configured by the usr since there is a default.
This is lead to a lot of confusion in our team. Should this really be the default behavior? And if yes maybe it can be better documented?