Christian Banse

> how long do we have to wait? :) This is an open source project maintained by a group of people which maintain it in their spare, free time (unpaid)....

I think this can be closed as we do not directly take the compabitibily-breaking approach of the original v4 branch

> It was quite convenient to construct a parser that would also validate audience, issuer, etc. Now with this library [I have to manually validate those](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/merge_requests/456/diffs#1567437db92ebef167a055658289fb0df9ab71d1_58_60). This feels less convenient....

I need some time to look at this properly. It does change the public API though.

Yes, this is somewhat dependent on #16. Meanwhile you can use `jwt.TimeFunc` to account for clock skew. https://github.com/golang-jwt/jwt/blob/2ebb50f957d606de5909fcf9ed49f9af3bc35e97/token.go#L10-L13

> Is the error "token used before issued" really needed? > > RFC7519 says that: > > > https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4 > > The "exp" (expiration time) claim identifies the expiration time...

@JorritSalverda Could you have a look at #139 to see if that mitigates your problem? Once we have that merged in, it will also pave way to a backwards-compatible way...

> @oxisto : For v4, Do you think we can also add an option to enable the issued at validation (should be disabled by default) to #139 ? > >...

Good idea. May I suggest an alternative name like `AuthorizationHeaderExtractor` or do you think that is too long?

> I have this in literally every project, haha. I'd suggest something like `GetTokenFromHeader` There is already a `TokenExtractor` which loops through all tokens, since this is specific to a...