From cfc7ec8bb990e6ccce530335583ffeecca312973 Mon Sep 17 00:00:00 2001
From: hbzhost <145801687+hbzhost@users.noreply.github.com>
Date: Wed, 4 Mar 2026 06:11:14 -0700
Subject: [PATCH] [client] Fix SSH JWT auth failure with Azure Entra ID iat
 backdating (#5471)

Increase DefaultJWTMaxTokenAge from 5 to 10 minutes to accommodate
identity providers like Azure Entra ID that backdate the iat claim
by up to 5 minutes, causing tokens to be immediately rejected.

Fixes #5449

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 client/ssh/server/server.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/client/ssh/server/server.go b/client/ssh/server/server.go
index 1ddb60f8e..4431ae423 100644
--- a/client/ssh/server/server.go
+++ b/client/ssh/server/server.go
@@ -46,8 +46,10 @@ const (
 	cmdSFTP             = "<sftp>"
 	cmdNonInteractive   = "<idle>"
 
-	// DefaultJWTMaxTokenAge is the default maximum age for JWT tokens accepted by the SSH server
-	DefaultJWTMaxTokenAge = 5 * 60
+	// DefaultJWTMaxTokenAge is the default maximum age for JWT tokens accepted by the SSH server.
+	// Set to 10 minutes to accommodate identity providers like Azure Entra ID
+	// that backdate the iat claim by up to 5 minutes.
+	DefaultJWTMaxTokenAge = 10 * 60
 )
 
 var (