From bd3146187d56bc23a64a2e8ba56eb654f4945b48 Mon Sep 17 00:00:00 2001
From: cgostuff <erikbu93@gmail.com>
Date: Sat, 2 Oct 2021 14:14:53 +0200
Subject: [PATCH] increased nbf-leeway to 5 minutes

---
 oidc/verify.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/oidc/verify.go b/oidc/verify.go
index dc6b56df..10ceb1f1 100644
--- a/oidc/verify.go
+++ b/oidc/verify.go
@@ -274,7 +274,9 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok
 		// If nbf claim is provided in token, ensure that it is indeed in the past.
 		if token.NotBefore != nil {
 			nbfTime := time.Time(*token.NotBefore)
-			leeway := 1 * time.Minute
+			// Set to 5 minutes since this is what other OpenID Connect providers do to deal with clock skew.
+			// https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/6.12.2/src/Microsoft.IdentityModel.Tokens/TokenValidationParameters.cs#L149-L153
+			leeway := 5 * time.Minute
 
 			if nowTime.Add(leeway).Before(nbfTime) {
 				return nil, fmt.Errorf("oidc: current time %v before the nbf (not before) time: %v", nowTime, nbfTime)