From 6e1b8014237482d2ea0512d5a805749d41f8b33c Mon Sep 17 00:00:00 2001
From: Andrew Millington <andrew@noexceptions.io>
Date: Mon, 14 Nov 2022 13:05:13 +0000
Subject: [PATCH 1/2] Change to use loose valid at

---
 src/AuthorizationValidators/BearerTokenValidator.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/AuthorizationValidators/BearerTokenValidator.php b/src/AuthorizationValidators/BearerTokenValidator.php
index 3c16f6850..faef53585 100644
--- a/src/AuthorizationValidators/BearerTokenValidator.php
+++ b/src/AuthorizationValidators/BearerTokenValidator.php
@@ -15,7 +15,7 @@
 use Lcobucci\JWT\Signer\Key\InMemory;
 use Lcobucci\JWT\Signer\Rsa\Sha256;
 use Lcobucci\JWT\Validation\Constraint\SignedWith;
-use Lcobucci\JWT\Validation\Constraint\StrictValidAt;
+use Lcobucci\JWT\Validation\Constraint\LooseValidAt;
 use Lcobucci\JWT\Validation\Constraint\ValidAt;
 use Lcobucci\JWT\Validation\RequiredConstraintsViolated;
 use League\OAuth2\Server\CryptKey;
@@ -74,8 +74,8 @@ private function initJwtConfiguration()
         );
 
         $this->jwtConfiguration->setValidationConstraints(
-            \class_exists(StrictValidAt::class)
-                ? new StrictValidAt(new SystemClock(new DateTimeZone(\date_default_timezone_get())))
+            \class_exists(LooseValidAt::class)
+                ? new LooseValidAt(new SystemClock(new DateTimeZone(\date_default_timezone_get())))
                 : new ValidAt(new SystemClock(new DateTimeZone(\date_default_timezone_get()))),
             new SignedWith(
                 new Sha256(),

From a5bcef852ecf15749a6a3a4883d8cfe076ca6b1e Mon Sep 17 00:00:00 2001
From: Andrew Millington <andrew@noexceptions.io>
Date: Mon, 14 Nov 2022 13:11:13 +0000
Subject: [PATCH 2/2] Update changelog

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b83689127..2c224552c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ## [Unreleased]
 ### Fixed
 - Use InMemory::plainText('empty', 'empty') instead of InMemory::plainText('') to avoid [new empty string exception](https://github.com/lcobucci/jwt/pull/833) thrown by lcobucci/jwt (PR #1282)
+- Use LooseValidAt instead of StrictValidAt so that users aren't forced to use claims such as NBF in their JWT tokens (PR #1312)
 
 ## [8.3.4] - released 2022-04-07
 ### Fixed