jpadilla · mark-adams · Apr 17, 2017 · Apr 17, 2017 · Apr 17, 2017
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,9 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 - Add support for ECDSA public keys in RFC 4253 (OpenSSH) format [#244][244]
 - Renamed commandline script `jwt` to `jwt-cli` to avoid issues with the script clobbering the `jwt` module in some circumstances.
 - Better error messages when using an algorithm that requires the cryptography package, but it isn't available [#230][230]
+- Tokens with future 'iat' values are no longer rejected [#190][190]
+- Non-numeric 'iat' values now raise InvalidIssuedAtError instead of DecodeError
+
 
 ### Fixed
 
@@ -129,5 +132,6 @@ rarely used. Users affected by this should upgrade to 3.3+.
 [174]: https://github.com/jpadilla/pyjwt/pull/174
 [182]: https://github.com/jpadilla/pyjwt/pull/182
 [183]: https://github.com/jpadilla/pyjwt/pull/183
+[190]: https://github.com/jpadilla/pyjwt/pull/190
 [213]: https://github.com/jpadilla/pyjwt/pull/214
 [244]: https://github.com/jpadilla/pyjwt/pull/244
diff --git a/docs/usage.rst b/docs/usage.rst
@@ -180,8 +180,7 @@ Issued At Claim (iat)
     This claim can be used to determine the age of the JWT. Its value MUST be a
     number containing a NumericDate value. Use of this claim is OPTIONAL.
 
-If the `iat` claim is in the future, an `jwt.InvalidIssuedAtError` exception
-will be raised.
+    If the `iat` claim is not a number, an `jwt.InvalidIssuedAtError` exception will be raised.
 
 .. code-block:: python
 

diff --git a/jwt/api_jwt.py b/jwt/api_jwt.py
@@ -121,13 +121,9 @@ def _validate_required_claims(self, payload, options):
 
     def _validate_iat(self, payload, now, leeway):
         try:
-            iat = int(payload['iat'])
+            int(payload['iat'])
         except ValueError:
-            raise DecodeError('Issued At claim (iat) must be an integer.')
-
-        if iat > (now + leeway):
-            raise InvalidIssuedAtError('Issued At claim (iat) cannot be in'
-                                       ' the future.')
+            raise InvalidIssuedAtError('Issued At claim (iat) must be an integer.')
 
     def _validate_nbf(self, payload, now, leeway):
         try:

diff --git a/tests/test_api_jwt.py b/tests/test_api_jwt.py
@@ -142,7 +142,7 @@ def test_decode_raises_exception_if_iat_is_not_int(self, jwt):
                        'eyJpYXQiOiJub3QtYW4taW50In0.'
                        'H1GmcQgSySa5LOKYbzGm--b1OmRbHFkyk8pq811FzZM')
 
-        with pytest.raises(DecodeError):
+        with pytest.raises(InvalidIssuedAtError):
             jwt.decode(example_jwt, 'secret')
 
     def test_decode_raises_exception_if_nbf_is_not_int(self, jwt):
@@ -154,13 +154,6 @@ def test_decode_raises_exception_if_nbf_is_not_int(self, jwt):
         with pytest.raises(DecodeError):
             jwt.decode(example_jwt, 'secret')
 
-    def test_decode_raises_exception_if_iat_in_the_future(self, jwt):
-        now = datetime.utcnow()
-        token = jwt.encode({'iat': now + timedelta(days=1)}, key='secret')
-
-        with pytest.raises(InvalidIssuedAtError):
-            jwt.decode(token, 'secret')
-
     def test_encode_datetime(self, jwt):
         secret = 'secret'
         current_datetime = datetime.utcnow()