Implement config variable to allow iat to remain unchanged claim when refreshing a token

[robinnydahl]

Description

Please see my issue #268. Implement possibility to keep iat unchanged during token refresh.

Checklist:

• I've added tests for my changes or tests are not applicable
• I've changed documentations or changes are not required
• I've added my changes to CHANGELOG.md

[Messhias]

@mfn or @eschricker can you review it?

[mfn]

Please allow me to find time, getting back ASAP

[mfn]

I replied over at #268 (comment)

[robinnydahl]

I replied in #268 as well :)

[specialtactics]

I am actually keen to set this to false by default in the interests of security, if the other maintainers are game.

[mfn]

I am actually keen to set this to false by default in the interests of security, if the other maintainers are game.

I can, together with the context of #268 (comment) , agree to this.

I acknowledge:

• the sudden change in behaviour which next to no proper warning is very unfortunate
• in the interest of secure-by-default, the default should be false and match the current behaviour
• the config comment, which likely will serve as the primordial documentation on this for the future, should be more clear about the security implications, more or less the scenario in the comment from @specialtactics I linked to

What do y'all think?

[specialtactics]

I agree with your thoughts there @mfn, and I guess to your point, we need to work on having some documentation there on that, since we are adding more functionality to this package, and I don't think we control the original docs?