I can’t find any documentation about that.
I assume clients and servers, or multiple servers, are not always synchronized between them (and I’ve seen that happen).
So if an application tries to validate a JWT from another server, but using its own time, it may find that JWT to always be invalid, even if it’s currently valid. So I would think that the expiration time should be checked using the issuer’s time.
Am I overthinking this issue? Also are there any security risks at not using the issuer’s time?