Provide a leeway in verification of times to account for clock skew

[lcabral37]

I noticed there was a minor difference on the server generationg the JWT and the server decoding it (on an openid connect project) and althoug the difference is within millisecs, very often the iat verification failed so I had to read up at the documentation and verify there is some recomendation at least for the exp and the nbf. so I've considered adding a leeway time to all time verifications.

Sources:
http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html#nbfDef
http://openid.net/specs/openid-connect-core-1_0.html#IDToken

[robertdimarco]

@lcabral37 Thanks for the pull request! I like the idea, but am weakly opposed to using the clock skew by default. What are your thoughts on making this an option instead? By doing so, we can document an example with skew in the README and it should be clear to the consumers of this library.

[lcabral37]

I'm pretty OK with having the clock skew as a option.
It does provide the change to document the feature and also allows anyone using this library to specify his own limits (whether it is 5 secs or 2 minutes).
I'll try to have an update on the pull request hopefully in a couple of days.

[robertdimarco]

@lcabral37 Thanks, appreciate it.

[lcabral37]

This took a bit longer to get my hands on it (althoug ti was a quick fix) but I needed to re-branch this so I have made a new pull request that respects this thread discussion.

The new pull request is available in #46