Add a JWTLeeway for LTI 1.3 JWT validation.

This is the maximum allowed difference between the exp and iat values in
the JWT sent with a launch request.  The Crypt::JWT module by default
uses a value of 0 for this, meaning that the iat and exp values in the
token must be exactly the current time.  That is probably going to
frequently be to strict.  So this uses a default of 10 (perhaps 60
should be used here like the NoneLifeTime for LTI 1.1?).

This is probably why many are experiencing issues with JWT tokens
failing to validate.

Author: drgrice1

conf/authen_LTI_1_3.conf.dist

@@ -116,6 +116,13 @@ $LTI{v1p3}{AuthReqURL}      = '';
 # don't pile up in the database.
 $LTI{v1p3}{StateKeyLifetime} = 60;    # in seconds
 
+# When a LTI 1.3 launch request occurs the JWT in the request is decoded and the exp and iat in
+# the token are validated.  The JWTLeeway is the maximum allowed difference between the exp and
+# iat values in the token and the current time.  If the JWTs in these launch requests are
+# failing to validate, then increase this value to allow for a larger difference between the exp
+# and iat values in the JWT and the current time.
+$LTI{v1p3}{JWTLeeway} = 10;    # in seconds
+
 ################################################################################################
 # LTI 1.3 LMS Roles Mapped to WeBWorK Roles
 ################################################################################################

lib/WeBWorK/ContentGenerator/LTIAdvantage.pm

@@ -367,6 +367,7 @@ sub extract_jwt_claims ($c) {
 		verify_aud => $ce->{LTI}{v1p3}{ClientID},
 		verify_iat => 1,
 		verify_exp => 1,
+		leeway     => $ce->{LTI}{v1p3}{JWTLeeway} // 10,
 		# This just checks that this claim is present.
 		verify_sub => sub ($value) { return $value =~ /\S/ }
 	);