This package fails the oidcc-client-test-missing-iat test of the OpenID Foundation conformance suite.

The client must identify the missing 'iat' value and reject the ID Token after doing ID Token validation.

https://openid.net/specs/openid-connect-core-1_0.html#IDToken

2. ID Token
   The primary extension that OpenID Connect makes to OAuth 2.0 to enable End-Users to be Authenticated is the ID Token data structure. The ID Token is a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims. The ID Token is represented as a JSON Web Token (JWT) [JWT].

The following Claims are used within the ID Token for all OAuth 2.0 flows used by OpenID Connect:

[...]
iat
REQUIRED. Time at which the JWT was issued. Its value is a JSON number representing the number of seconds from 1970-01-01T00:00:00Z as measured in UTC until the date/time.