Merge pull request #128 from nyndo/leeway-nbf-exp

 Leeway due to clock skew when checking exp and nbf

Author: jumbojett

CHANGELOG.md

@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 ## [Unreleased]
 
 ### Added
+* Added five minutes leeway due to clock skew between openidconnect server and client.
 * Fix save access_token from request in implicit flow authentication #129
 * verifyJWTsignature() method private -> public #126
 * Support for providers where provider/login URL is not the same as the issuer URL. #125

src/OpenIDConnectClient.php

@@ -189,6 +189,11 @@ class OpenIDConnectClient
      */
     protected $timeOut = 60;
 
+    /**
+     * @var int leeway (seconds)
+     */
+    private $leeway = 300;
+	
     /**
      * @var array holds response types
      */
@@ -871,8 +876,8 @@ private function verifyJWTclaims($claims, $accessToken = null) {
         return (($claims->iss == $this->getIssuer() || $claims->iss == $this->getWellKnownIssuer() || $claims->iss == $this->getWellKnownIssuer(true))
             && (($claims->aud == $this->clientID) || (in_array($this->clientID, $claims->aud)))
             && ($claims->nonce == $this->getNonce())
-            && ( !isset($claims->exp) || $claims->exp >= time())
-            && ( !isset($claims->nbf) || $claims->nbf <= time())
+            && ( !isset($claims->exp) || $claims->exp >= time() - $this->leeway)
+            && ( !isset($claims->nbf) || $claims->nbf <= time() + $this->leeway)
             && ( !isset($claims->at_hash) || $claims->at_hash == $expecte_at_hash )
         );
     }