auxData.jwt.disableVerification not operating as expected about cerbos HOT 3 CLOSED

Was just reading up on the jwx package that is used to interact with JWTs and it seems like this is probably expected behavior due to the following:

https://github.com/lestrrat-go/jwx/blob/develop/v2/docs/01-jwt.md#terminology

Verification
We use the terms "verify" and "verification" to describe the process of ensuring the integrity of the JWT, namely the signature verification.

Validation
We use the terms "validate" and "validation" to describe the process of checking the contents of a JWT, for example if the values in fields such as "iss", "sub", "aud" match our expected values, and/or if the token has expired.

So either providing a way to disable Verification and Validation or a way to control the behavior of what is considered expired would be useful.

from cerbos.

Yes, this is the expected behaviour. Disabling verification only disables the cryptographic validation and we don't recommend doing that for production deployments. Regardless of the value of disableVerification config, the exp claim of the JWT is still checked to make sure that the token is valid and Cerbos is not operating on stale data. What's your use case for handling expired tokens?

from cerbos.

Our existing system allows for a leeway of a certain number of seconds for some reason, so we are seeing some differing behavior b/c Cerbos rejects some requests that our legacy system lets through due to a JWT being expired by a handful of seconds.

The legacy system is still in charge of doing the verification and validation of the JWT but Cerbos is using some of the claims in the JWT as input for the policies. So any JWT we hand off to Cerbos should be considered good already but we occasionally see these errors b/c of the difference in the allowed leeway.

from cerbos.