diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go
index 4f4c27cf..79933f30 100644
--- a/authority/provisioner/jwk.go
+++ b/authority/provisioner/jwk.go
@@ -32,7 +32,7 @@ func (p *JWK) GetID() string {
 	return p.Name + ":" + p.Key.KeyID
 }
 
-// GetName returns the name of the provisioner
+// GetName returns the name of the provisioner.
 func (p *JWK) GetName() string {
 	return p.Name
 }
@@ -80,6 +80,7 @@ func (p *JWK) Authorize(token string) ([]SignOption, error) {
 	// more than a few minutes.
 	if err = claims.ValidateWithLeeway(jose.Expected{
 		Issuer: p.Name,
+		Time:   time.Now().UTC(),
 	}, time.Minute); err != nil {
 		return nil, errors.Wrapf(err, "invalid token")
 	}
diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go
index c31d3095..bdc67187 100644
--- a/authority/provisioner/oidc.go
+++ b/authority/provisioner/oidc.go
@@ -111,6 +111,7 @@ func (o *OIDC) ValidatePayload(p openIDPayload) error {
 	if err := p.ValidateWithLeeway(jose.Expected{
 		Issuer:   o.configuration.Issuer,
 		Audience: jose.Audience{o.ClientID},
+		Time:     time.Now().UTC(),
 	}, time.Minute); err != nil {
 		return errors.Wrap(err, "failed to validate payload")
 	}