fix: Add a 60-second leeway to the JWT validation logic (authlib#689)

liudonggalaxy · azmeuk · Rocky Allen · commit 4089ce392624 · 2025-06-23T13:44:21.000-04:00
* Add a 60-second leeway to the JWT validation logic

* Add parameter name

* Shorten lines.

---------

Co-authored-by: Éloi Rivard &lt;eloi@yaal.coop&gt;
diff --git a/authlib/oauth2/rfc7523/client.py b/authlib/oauth2/rfc7523/client.py
@@ -19,9 +19,12 @@ class JWTBearerClientAssertion:
     #: Name of the client authentication method
     CLIENT_AUTH_METHOD = "client_assertion_jwt"
 
-    def __init__(self, token_url, validate_jti=True):
+    def __init__(self, token_url, validate_jti=True, leeway=60):
         self.token_url = token_url
         self._validate_jti = validate_jti
+        # A small allowance of time, typically no more than a few minutes,
+        # to account for clock skew. The default is 60 seconds.
+        self.leeway = leeway
 
     def __call__(self, query_client, request):
         data = request.form
@@ -64,7 +67,7 @@ def process_assertion_claims(self, assertion, resolve_key):
             claims = jwt.decode(
                 assertion, resolve_key, claims_options=self.create_claims_options()
             )
-            claims.validate()
+            claims.validate(leeway=self.leeway)
         except JoseError as e:
             log.debug("Assertion Error: %r", e)
             raise InvalidClientError() from e
diff --git a/authlib/oauth2/rfc7523/jwt_bearer.py b/authlib/oauth2/rfc7523/jwt_bearer.py
@@ -26,6 +26,10 @@ class JWTBearerGrant(BaseGrant, TokenEndpointMixin):
         "exp": {"essential": True},
     }
 
+    # A small allowance of time, typically no more than a few minutes,
+    # to account for clock skew. The default is 60 seconds.
+    LEEWAY = 60
+
     @staticmethod
     def sign(
         key,
@@ -55,7 +59,7 @@ def process_assertion_claims(self, assertion):
             claims = jwt.decode(
                 assertion, self.resolve_public_key, claims_options=self.CLAIMS_OPTIONS
             )
-            claims.validate()
+            claims.validate(leeway=self.LEEWAY)
         except JoseError as e:
             log.debug("Assertion Error: %r", e)
             raise InvalidGrantError(description=e.description) from e
