diff --git a/core/src/main/java/org/keycloak/representations/JsonWebToken.java b/core/src/main/java/org/keycloak/representations/JsonWebToken.java
index 04071b6ab9..9b2f1d57be 100755
--- a/core/src/main/java/org/keycloak/representations/JsonWebToken.java
+++ b/core/src/main/java/org/keycloak/representations/JsonWebToken.java
@@ -91,10 +91,9 @@ public class JsonWebToken implements Serializable {
         return this;
     }
 
-
     @JsonIgnore
-    public boolean isNotBefore() {
-        return Time.currentTime() >= notBefore;
+    public boolean isNotBefore(int allowedTimeSkew) {
+        return Time.currentTime() + allowedTimeSkew >= notBefore;
     }
 
     /**
@@ -104,7 +103,12 @@ public class JsonWebToken implements Serializable {
      */
     @JsonIgnore
     public boolean isActive() {
-        return (!isExpired() || expiration == 0) && (isNotBefore() || notBefore == 0);
+        return isActive(0);
+    }
+
+    @JsonIgnore
+    public boolean isActive(int allowedTimeSkew) {
+        return (!isExpired() || expiration == 0) && (isNotBefore(allowedTimeSkew) || notBefore == 0);
     }
 
     public int getIssuedAt() {
diff --git a/core/src/test/java/org/keycloak/jose/JsonWebTokenTest.java b/core/src/test/java/org/keycloak/jose/JsonWebTokenTest.java
index addd6f30ab..0830cde046 100644
--- a/core/src/test/java/org/keycloak/jose/JsonWebTokenTest.java
+++ b/core/src/test/java/org/keycloak/jose/JsonWebTokenTest.java
@@ -18,11 +18,13 @@
 package org.keycloak.jose;
 
 import org.junit.Test;
+import org.keycloak.common.util.Time;
 import org.keycloak.representations.JsonWebToken;
 import org.keycloak.util.JsonSerialization;
 
 import java.io.IOException;
 
+import static junit.framework.TestCase.assertFalse;
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertTrue;
 
@@ -35,7 +37,7 @@ public class JsonWebTokenTest {
     public void testAudSingle() throws IOException {
         String single = "{ \"aud\": \"test\" }";
         JsonWebToken s = JsonSerialization.readValue(single, JsonWebToken.class);
-        assertArrayEquals(new String[] { "test" }, s.getAudience());
+        assertArrayEquals(new String[]{"test"}, s.getAudience());
     }
 
     @Test
@@ -59,4 +61,40 @@ public class JsonWebTokenTest {
         assertTrue(JsonSerialization.writeValueAsPrettyString(jsonWebToken).contains("\"aud\" : [ \"test\", \"test2\" ]"));
     }
 
+    @Test
+    public void isActiveReturnFalseWhenBeforeTimeInFuture() {
+        int currentTime = Time.currentTime();
+        int futureTime = currentTime + 10;
+        JsonWebToken jsonWebToken = new JsonWebToken();
+        jsonWebToken.notBefore(futureTime);
+        assertFalse(jsonWebToken.isActive());
+    }
+
+    @Test
+    public void isActiveReturnTrueWhenBeforeTimeInPast() {
+        int currentTime = Time.currentTime();
+        int pastTime = currentTime - 10;
+        JsonWebToken jsonWebToken = new JsonWebToken();
+        jsonWebToken.notBefore(pastTime);
+        assertTrue(jsonWebToken.isActive());
+    }
+
+    @Test
+    public void isActiveShouldReturnTrueWhenBeforeTimeInFutureWithinTimeSkew() {
+        int notBeforeTime = Time.currentTime() + 5;
+        int allowedClockSkew = 10;
+        JsonWebToken jsonWebToken = new JsonWebToken();
+        jsonWebToken.notBefore(notBeforeTime);
+        assertTrue(jsonWebToken.isActive(allowedClockSkew));
+    }
+
+    @Test
+    public void isActiveShouldReturnFalseWhenWhenBeforeTimeInFutureOutsideTimeSkew() {
+        int notBeforeTime = Time.currentTime() + 10;
+        int allowedClockSkew = 5;
+        JsonWebToken jsonWebToken = new JsonWebToken();
+        jsonWebToken.notBefore(notBeforeTime);
+        assertFalse(jsonWebToken.isActive(allowedClockSkew));
+    }
+
 }
diff --git a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
index 30c05b3eb5..5251522075 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
@@ -21,7 +21,6 @@ import org.jboss.logging.Logger;
 import org.keycloak.OAuth2Constants;
 import org.keycloak.OAuthErrorException;
 import org.keycloak.broker.oidc.mappers.AbstractJsonUserAttributeMapper;
-import org.keycloak.broker.provider.AuthenticationRequest;
 import org.keycloak.broker.provider.BrokeredIdentityContext;
 import org.keycloak.broker.provider.ExchangeExternalToken;
 import org.keycloak.broker.provider.IdentityBrokerException;
@@ -478,7 +477,7 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
 
         String iss = token.getIssuer();
 
-        if (!token.isActive()) {
+        if (!token.isActive(getConfig().getAllowedClockSkew())) {
             throw new IdentityBrokerException("Token is no longer valid");
         }
 
diff --git a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java
index ce0ccfffb3..ff541ac563 100755
--- a/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderConfig.java
@@ -110,7 +110,16 @@ public class OIDCIdentityProviderConfig extends OAuth2IdentityProviderConfig {
         getConfig().put("disableUserInfo", String.valueOf(disable));
     }
 
-
-
-
+    public int getAllowedClockSkew() {
+        String allowedClockSkew = getConfig().get("allowedClockSkew");
+        if (allowedClockSkew == null || allowedClockSkew.isEmpty()) {
+            return 0;
+        }
+        try {
+            return Integer.parseInt(getConfig().get("allowedClockSkew"));
+        } catch (NumberFormatException e) {
+            // ignore it and use default
+            return 0;
+        }
+    }
 }
diff --git a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
index 239a7ce202..3fa744f822 100644
--- a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
+++ b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
@@ -561,6 +561,8 @@ validating-public-key=Validating Public Key
 identity-provider.validating-public-key.tooltip=The public key in PEM format that must be used to verify external IDP signatures.
 validating-public-key-id=Validating Public Key Id
 identity-provider.validating-public-key-id.tooltip=Explicit ID of the validating public key given above if the key ID. Leave blank if the key above should be used always, regardless of key ID specified by external IDP; set it if the key should only be used for verifying if key ID from external IDP matches.
+identity-provider.allowed-clock-skew=Allowed clock skew
+identity-provider.allowed-clock-skew.tooltip=Clock skew in seconds that is tolerated when validating identity provider tokens. Default value is zero.
 import-external-idp-config=Import External IDP Config
 import-external-idp-config.tooltip=Allows you to load external IDP metadata from a config file or to download it from a URL.
 import-from-url=Import from URL
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-oidc.html b/themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-oidc.html
index 54bbcd64a8..ac32db715f 100755
--- a/themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-oidc.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/realm-identity-provider-oidc.html
@@ -246,6 +246,14 @@
 
             </div>
 
+            <div class="form-group">
+                <label class="col-md-2 control-label" for="allowedClockSkew">{{:: 'allowed-clock-skew' | translate}}</label>
+                <div class="col-md-6">
+                    <input ng-model="identityProvider.config.allowedClockSkew" id="allowedClockSkew" type="text" class="form-control"/>
+                </div>
+                <kc-tooltip>{{:: 'identity-provider.allowed-clock-skew.tooltip' | translate}}</kc-tooltip>
+            </div>
+
         </fieldset>
         <fieldset data-ng-show="newIdentityProvider">
             <legend uncollapsed><span class="text">{{:: 'import-external-idp-config' | translate}}</span> <kc-tooltip>{{:: 'import-external-idp-config.tooltip' | translate}}</kc-tooltip></legend>