From 24e242e7b3df3bbdda2c9fe12d0785710f9129fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Wed, 17 Jan 2024 16:26:11 +0100
Subject: [PATCH] Fix the client assertion validation logic to avoid rejecting
 assertions that don't specify an "iat" claim

---
 src/OpenIddict.Server/OpenIddictServerHandlers.cs | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.cs
index 98971db6..836d3ac8 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.cs
@@ -687,19 +687,6 @@ public static partial class OpenIddictServerHandlers
                 return default;
             }
 
-            // Client assertions MUST contain contain an "iat" claim. For more information,
-            // see https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
-            // and https://datatracker.ietf.org/doc/html/rfc7523#section-3.
-            if (!context.ClientAssertionPrincipal.HasClaim(Claims.IssuedAt))
-            {
-                context.Reject(
-                    error: Errors.InvalidRequest,
-                    description: SR.FormatID2172(Claims.IssuedAt),
-                    uri: SR.FormatID8000(SR.ID2172));
-
-                return default;
-            }
-
             return default;
 
             static bool ValidateClaimGroup(string name, List<Claim> values) => name switch