[REQUIRED] Describe your environment

• Operating System version: Windows 10 Home Version 20H2, Build 19042.1052
• Browser version: Chrome Version 91.0.4472.164 (64-bit)
• Firebase SDK version: firebase 9.0.0-beta.6
• Firebase Product: Firestore Emulator, Database Emulator, Storage Emulator

[REQUIRED] Describe the problem

According to the documentation, auth_time should match the user's last sign in time, and iat should match the time this token was issued. This means auth_time should only be updated once, when the user signed in, and iat should change every hour when a new token is issued. This is not the case however. Despite what the documentation says, auth_time changes every hour at the same time as iat. This means auth_time always matches iat, and can't be used in security rules to check the time the user last signed in

https://firebase.google.com/docs/reference/admin/node/admin.auth.DecodedIdToken#auth_time

Steps to reproduce:

1. Create the following firestore.rules file

rules_version = '2';
service cloud.firestore {
   match /databases/{database}/documents {
    allow read, write: if request.auth != null && request.auth.token.auth_time < request.auth.token.iat;
  }
}

2. Use npm run serve to run the new rules in your local emulators
3. Sign in as a user on your client app.

Expected Result:

All reads and writes should fail for about the first hour. But after an hour has passed (and firebase has automatically issued the user a new token) the reads and writes should start succeeding

Actual Result:

All reads and writes fail forever. This is because auth_time always changes in lock-step with iat, despite the documentation saying that auth_time should remain stable after login and only iat should change every hour.