Add OIDC client access token expires in skew

extensions/oidc-client/runtime/src/main/java/io/quarkus/oidc/client/OidcClientConfig.java

@@ -26,6 +26,7 @@ public OidcClientConfig(io.quarkus.oidc.client.runtime.OidcClientConfig mapping)
         scopes = mapping.scopes();
         refreshTokenTimeSkew = mapping.refreshTokenTimeSkew();
         accessTokenExpiresIn = mapping.accessTokenExpiresIn();
+        accessTokenExpirySkew = mapping.accessTokenExpirySkew();
         absoluteExpiresIn = mapping.absoluteExpiresIn();
         grant.addConfigMappingValues(mapping.grant());
         grantOptions = mapping.grantOptions();
@@ -64,6 +65,11 @@ public OidcClientConfig(io.quarkus.oidc.client.runtime.OidcClientConfig mapping)
      */
     public Optional<Duration> accessTokenExpiresIn = Optional.empty();
 
+    /**
+     * Access token expiry time skew that can be added to the calculated token expiry time.
+     */
+    public Optional<Duration> accessTokenExpirySkew = Optional.empty();
+
     /**
      * If the access token 'expires_in' property should be checked as an absolute time value
      * as opposed to a duration relative to the current time.
@@ -97,6 +103,11 @@ public Optional<Duration> accessTokenExpiresIn() {
         return accessTokenExpiresIn;
     }
 
+    @Override
+    public Optional<Duration> accessTokenExpirySkew() {
+        return accessTokenExpirySkew;
+    }
+
     @Override
     public boolean absoluteExpiresIn() {
         return absoluteExpiresIn;

extensions/oidc-client/runtime/src/main/java/io/quarkus/oidc/client/OidcClientConfigBuilder.java

@@ -26,6 +26,7 @@ private static class OidcClientConfigImpl extends OidcClientCommonConfigImpl imp
         private final Grant grant;
         private final boolean absoluteExpiresIn;
         private final Optional<Duration> accessTokenExpiresIn;
+        private final Optional<Duration> accessTokenExpirySkew;
         private final Optional<Duration> refreshTokenTimeSkew;
         private final Optional<List<String>> scopes;
         private final boolean clientEnabled;
@@ -39,6 +40,7 @@ private OidcClientConfigImpl(OidcClientConfigBuilder builder) {
             this.grant = builder.grant;
             this.absoluteExpiresIn = builder.absoluteExpiresIn;
             this.accessTokenExpiresIn = builder.accessTokenExpiresIn;
+            this.accessTokenExpirySkew = builder.accessTokenExpirySkew;
             this.refreshTokenTimeSkew = builder.refreshTokenTimeSkew;
             this.scopes = builder.scopes.isEmpty() ? Optional.empty() : Optional.of(List.copyOf(builder.scopes));
             this.clientEnabled = builder.clientEnabled;
@@ -70,6 +72,11 @@ public Optional<Duration> accessTokenExpiresIn() {
             return accessTokenExpiresIn;
         }
 
+        @Override
+        public Optional<Duration> accessTokenExpirySkew() {
+            return accessTokenExpirySkew;
+        }
+
         @Override
         public boolean absoluteExpiresIn() {
             return absoluteExpiresIn;
@@ -103,6 +110,7 @@ public Map<String, String> headers() {
     private Grant grant;
     private boolean absoluteExpiresIn;
     private Optional<Duration> accessTokenExpiresIn;
+    private Optional<Duration> accessTokenExpirySkew;
     private Optional<Duration> refreshTokenTimeSkew;
     private boolean clientEnabled;
     private Optional<String> id;
@@ -118,6 +126,7 @@ public OidcClientConfigBuilder(OidcClientConfig config) {
         this.grant = config.grant();
         this.absoluteExpiresIn = config.absoluteExpiresIn();
         this.accessTokenExpiresIn = config.accessTokenExpiresIn();
+        this.accessTokenExpirySkew = config.accessTokenExpirySkew();
         this.refreshTokenTimeSkew = config.refreshTokenTimeSkew();
         this.clientEnabled = config.clientEnabled();
         this.id = config.id();
@@ -219,6 +228,15 @@ public OidcClientConfigBuilder accessTokenExpiresIn(Duration accessTokenExpiresI
         return this;
     }
 
+    /**
+     * @param accessTokenExpirySkew {@link OidcClientConfig#accessTokenExpirySkew()}
+     * @return this builder
+     */
+    public OidcClientConfigBuilder accessTokenExpirySkew(Duration accessTokenExpirySkew) {
+        this.accessTokenExpirySkew = Optional.ofNullable(accessTokenExpirySkew);
+        return this;
+    }
+
     /**
      * @param refreshTokenTimeSkew {@link OidcClientConfig#refreshTokenTimeSkew()}
      * @return this builder

extensions/oidc-client/runtime/src/main/java/io/quarkus/oidc/client/runtime/OidcClientConfig.java

@@ -47,6 +47,11 @@ public interface OidcClientConfig extends OidcClientCommonConfig {
      */
     Optional<Duration> accessTokenExpiresIn();
 
+    /**
+     * Access token expiry time skew that can be added to the calculated token expiry time.
+     */
+    Optional<Duration> accessTokenExpirySkew();
+
     /**
      * If the access token 'expires_in' property should be checked as an absolute time value
      * as opposed to a duration relative to the current time.

extensions/oidc-client/runtime/src/main/java/io/quarkus/oidc/client/runtime/OidcClientImpl.java

@@ -287,6 +287,9 @@ private Long getAccessTokenExpiresAtValue(String token, Object expiresInValue) {
             final long now = System.currentTimeMillis() / 1000;
             expiresAt = now + oidcConfig.accessTokenExpiresIn().get().toSeconds();
         }
+        if (expiresAt != null && oidcConfig.accessTokenExpirySkew().isPresent()) {
+            expiresAt += oidcConfig.accessTokenExpirySkew().get().getSeconds();
+        }
         return expiresAt;
     }
 

extensions/oidc-client/runtime/src/test/java/io/quarkus/oidc/client/OidcClientConfigImpl.java

@@ -49,6 +49,7 @@ enum ConfigMappingMethods {
         SCOPES,
         REFRESH_TOKEN_TIME_SKEW,
         ACCESS_TOKEN_EXPIRES_IN,
+        ACCESS_TOKEN_EXPIRY_SKEW,
         ABSOLUTE_EXPIRES_IN,
         GRANT,
         GRANT_TYPE,
@@ -338,6 +339,12 @@ public Optional<Duration> accessTokenExpiresIn() {
         return Optional.empty();
     }
 
+    @Override
+    public Optional<Duration> accessTokenExpirySkew() {
+        invocationsRecorder.put(ConfigMappingMethods.ACCESS_TOKEN_EXPIRY_SKEW, true);
+        return Optional.empty();
+    }
+
     @Override
     public boolean absoluteExpiresIn() {
         invocationsRecorder.put(ConfigMappingMethods.ABSOLUTE_EXPIRES_IN, true);

integration-tests/oidc-client-wiremock/src/main/resources/application.properties

@@ -12,6 +12,7 @@ quarkus.oidc-client.configured-expires-in.client-id=quarkus-app
 quarkus.oidc-client.configured-expires-in.credentials.client-secret.value=secret
 quarkus.oidc-client.configured-expires-in.credentials.client-secret.method=post
 quarkus.oidc-client.configured-expires-in.access-token-expires-in=5S
+quarkus.oidc-client.configured-expires-in.access-token-expiry-skew=2S
 
 quarkus.oidc-client.jwtbearer.auth-server-url=${keycloak.url}
 quarkus.oidc-client.jwtbearer.discovery-enabled=false

integration-tests/oidc-client-wiremock/src/test/java/io/quarkus/it/keycloak/OidcClientTest.java

@@ -63,7 +63,7 @@ public void testGetAccessTokenWithConfiguredExpiresIn() {
         assertEquals("access_token_without_expires_in", data[0]);
 
         long now = System.currentTimeMillis() / 1000;
-        long expectedExpiresAt = now + 5;
+        long expectedExpiresAt = now + 7;
         long accessTokenExpiresAt = Long.valueOf(data[1]);
         assertTrue(accessTokenExpiresAt >= expectedExpiresAt
                 && accessTokenExpiresAt <= expectedExpiresAt + 4);