Update the ValidateExpirationDate handlers to support TokenValidationParameters.ClockSkew

src/OpenIddict.Client/OpenIddictClientHandlers.Protection.cs

@@ -597,7 +597,7 @@ public static partial class OpenIddictClientHandlers
                 Debug.Assert(context.Principal is { Identity: ClaimsIdentity }, SR.GetResourceString(SR.ID4006));
 
                 var date = context.Principal.GetExpirationDate();
-                if (date.HasValue && date.Value < DateTimeOffset.UtcNow)
+                if (date.HasValue && date.Value.Add(context.TokenValidationParameters.ClockSkew) < DateTimeOffset.UtcNow)
                 {
                     context.Reject(
                         error: Errors.InvalidToken,

src/OpenIddict.Server/OpenIddictServerHandlers.Protection.cs

@@ -888,7 +888,7 @@ public static partial class OpenIddictServerHandlers
                 Debug.Assert(context.Principal is { Identity: ClaimsIdentity }, SR.GetResourceString(SR.ID4006));
 
                 var date = context.Principal.GetExpirationDate();
-                if (date.HasValue && date.Value < DateTimeOffset.UtcNow)
+                if (date.HasValue && date.Value.Add(context.TokenValidationParameters.ClockSkew) < DateTimeOffset.UtcNow)
                 {
                     context.Reject(
                         error: context.Principal.GetTokenType() switch

src/OpenIddict.Validation/OpenIddictValidationHandlers.Protection.cs

@@ -601,7 +601,7 @@ public static partial class OpenIddictValidationHandlers
                 Debug.Assert(context.Principal is { Identity: ClaimsIdentity }, SR.GetResourceString(SR.ID4006));
 
                 var date = context.Principal.GetExpirationDate();
-                if (date.HasValue && date.Value < DateTimeOffset.UtcNow)
+                if (date.HasValue && date.Value.Add(context.TokenValidationParameters.ClockSkew) < DateTimeOffset.UtcNow)
                 {
                     context.Logger.LogInformation(SR.GetResourceString(SR.ID6156));