Agressive leeway in OAuth2 prevents OIDC flow from working

[nonsleepr]

The OAuth2 leeway marks short-lived valid token as expired breaking the flow

In my case IdP returns access_token which is valid 59 seconds. It does not return refresh_token. The leeway of 60 marks fresh token as expired and breaks the flow.

Error Stacks

   File ".../authlib/integrations/httpx_client/oauth2_client.py", line 86, in request
     await self.ensure_active_token(self.token)
   File ".../authlib/integrations/httpx_client/oauth2_client.py", line 124, in ensure_active_token
     raise InvalidTokenError()
 authlib.integrations.base_client.errors.InvalidTokenError: token_invalid:

To Reproduce

• Issue an token with expires_at 59 seconds in advance and don't provide refresh_token.

Expected behavior

The flow completes successfully.

Environment:

• OS: Linux
• Python Version: 3.11
• Authlib Version: 1.4.1 (though 1.5.1 has the same issue)

Additional context

this commit added a "small timedelta to consider token as expired before it actually expires"

[azmeuk]

Hi. Thank you for your bug report. Did you try to lower the leeway when you initialize your client? Anyway I suppose the httpx client could avoid raising an InvalidTokenError exception if the token is actually still active.