From f98e9678caf5be1025f47b80a41ba15f3ddf8cb7 Mon Sep 17 00:00:00 2001
From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Fri, 15 Aug 2025 11:48:53 +0300
Subject: [PATCH] lib-oauth2: jwt - Allow nbf and iat to point 1 second into
 future

The token could have just been generated with a server where time is
slightly into the future compared to this server.
---
 src/lib-oauth2/oauth2-jwt.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/lib-oauth2/oauth2-jwt.c b/src/lib-oauth2/oauth2-jwt.c
index 6192283292..4688796751 100644
--- a/src/lib-oauth2/oauth2-jwt.c
+++ b/src/lib-oauth2/oauth2-jwt.c
@@ -499,11 +499,14 @@ oauth2_jwt_body_process(const struct oauth2_settings *set,
 	} else if (ret == 0 || iat == 0)
 		iat = t0;
 
-	if (nbf > t0) {
+	/* Token could have been just generated with a server where time is
+	   slightly newer than this server's time. Allow 1 second difference
+	   to avoid random failures due to token being into future. */
+	if (nbf > t0 + 1) {
 		*error_r = "Token is not valid yet";
 		return -1;
 	}
-	if (iat > t0) {
+	if (iat > t0 + 1) {
 		*error_r = "Token is issued in future";
 		return -1;
 	}
-- 
2.47.3