From 354fd004c70de55b5e1022f4f505251b0a0912b0 Mon Sep 17 00:00:00 2001
From: Viktor Liu <viktor@netbird.io>
Date: Wed, 20 May 2026 11:30:14 +0200
Subject: [PATCH] Enable IdP JWKS refresh in VNC JWT validator

---
 client/vnc/server/input_darwin.go | 2 +-
 client/vnc/server/server.go       | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/client/vnc/server/input_darwin.go b/client/vnc/server/input_darwin.go
index 3fdbe6ee3..c88fdebad 100644
--- a/client/vnc/server/input_darwin.go
+++ b/client/vnc/server/input_darwin.go
@@ -502,7 +502,7 @@ func (m *MacInputInjector) postScrollWheel(src uintptr, buttonMask uint8) {
 // emits one press+release per ~10 px, so a real gesture arrives as many
 // small events; 20 px per event keeps the resulting macOS scroll fluid
 // without overshooting on a single notch.
-const scrollPixelsPerWheelTick int32 = 20
+const scrollPixelsPerWheelTick int32 = 22
 
 func (m *MacInputInjector) postMouse(src uintptr, eventType int32, x, y float64, button int32) {
 	if cgEventCreateMouseEvent == nil {
diff --git a/client/vnc/server/server.go b/client/vnc/server/server.go
index 46fcc679f..29498c64a 100644
--- a/client/vnc/server/server.go
+++ b/client/vnc/server/server.go
@@ -691,11 +691,13 @@ func (s *Server) ensureJWTValidator() error {
 		return fmt.Errorf("no JWT config")
 	}
 
+	// Enable IdP key refresh so JWKS rotations don't latch the validator
+	// off until daemon restart.
 	s.jwtValidator = nbjwt.NewValidator(
 		s.jwtConfig.Issuer,
 		s.jwtConfig.Audiences,
 		s.jwtConfig.KeysLocation,
-		false,
+		true,
 	)
 
 	var opts []nbjwt.ClaimsExtractorOption