refactor!: set default clock skew tolerance to 15 seconds

BREAKING CHANGE: Default clock skew tolerance is now set to 15 seconds (previously 0 seconds tolerance). This can be reverted using the `clockTolerance` configuration option.

certification/fapi/index.js

@@ -167,7 +167,6 @@ const fapi = new Provider(ISSUER, {
     id_token_signed_response_alg: 'PS256',
     request_object_signing_alg: 'PS256',
   },
-  clockTolerance: 5,
   features: {
     ciba: {
       enabled: true,

docs/README.md

@@ -2088,7 +2088,7 @@ _**recommendation**_: Only set this to a reasonable value when needed to cover s
 
 _**default value**_:
 ```js
-0
+15
 ```
 
 ### conformIdTokenClaims

lib/helpers/defaults.js

@@ -674,7 +674,7 @@ function makeDefaults() {
      * recommendation: Only set this to a reasonable value when needed to cover server-side client and
      *   oidc-provider server clock skew.
      */
-    clockTolerance: 0,
+    clockTolerance: 15,
 
     /*
      * conformIdTokenClaims

test/client_auth/client_auth.test.js

@@ -1023,7 +1023,7 @@ describe('client authentication options', () => {
         sub: 'client-jwt-secret',
         iss: 'client-jwt-secret',
       }, this.key, 'HS256', {
-        expiresIn: -1,
+        expiresIn: -300,
       }).then((assertion) => this.agent.post(route)
         .send({
           client_assertion: assertion,

test/sessions/sessions.test.js

@@ -23,7 +23,7 @@ describe('session exp handling', () => {
     await this.login();
     const session = this.getSession();
     const oldSessionId = this.getSessionId();
-    session.exp = epochTime();
+    session.exp = epochTime() - 300;
 
     sinon.spy(this.TestAdapter.for('Session'), 'destroy');