diff --git a/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/oauth2/OAuth2SessionServiceDelegate.java b/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/oauth2/OAuth2SessionServiceDelegate.java
index 326254f4..b9bd13ae 100644
--- a/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/oauth2/OAuth2SessionServiceDelegate.java
+++ b/src/modules/rest/impl/src/main/java/it/geosolutions/geostore/services/rest/security/oauth2/OAuth2SessionServiceDelegate.java
@@ -78,10 +78,12 @@ public abstract class OAuth2SessionServiceDelegate implements SessionServiceDele
 
     private static final Logger LOGGER = LogManager.getLogger(OAuth2SessionServiceDelegate.class);
 
+    private static final long CLOCK_SKEW_ALLOWANCE_MILLIS = 5 * 60 * 1000; // 5 minutes
+
     protected UserService userService;
 
     /**
-     * @param restSessionService the session service to which register this delegate.
+     * @param restSessionService the session service to which register this delegate?
      * @param delegateName this delegate name eg. google or GitHub etc...
      */
     public OAuth2SessionServiceDelegate(
@@ -185,8 +187,10 @@ private boolean isTokenExpired(OAuth2AccessToken token) {
             }
         }
 
-        // Allow clock skew if necessary
-        return expiration.before(new Date());
+        long now = System.currentTimeMillis();
+        long adjustedExpirationTime = expiration.getTime() + CLOCK_SKEW_ALLOWANCE_MILLIS;
+
+        return adjustedExpirationTime <= now;
     }
 
     private Date getExpirationDateFromToken(String token) {
@@ -210,9 +214,8 @@ private Date getExpirationDateFromToken(String token) {
                     throw new IllegalArgumentException("Cannot parse 'exp' claim from token");
                 }
 
-                // The 'exp' claim is usually in seconds since epoch
-                Date expiration = new Date(expLong * 1000);
-                return expiration;
+                // The 'exp' claim has usually been in seconds since the epoch
+                return new Date(expLong * 1000);
             } else {
                 return null;
             }
diff --git a/src/modules/rest/impl/src/test/java/it/geosolutions/geostore/rest/security/oauth2/openid_connect/RefreshTokenServiceTest.java b/src/modules/rest/impl/src/test/java/it/geosolutions/geostore/rest/security/oauth2/openid_connect/RefreshTokenServiceTest.java
index 5bf80371..73902468 100644
--- a/src/modules/rest/impl/src/test/java/it/geosolutions/geostore/rest/security/oauth2/openid_connect/RefreshTokenServiceTest.java
+++ b/src/modules/rest/impl/src/test/java/it/geosolutions/geostore/rest/security/oauth2/openid_connect/RefreshTokenServiceTest.java
@@ -438,7 +438,9 @@ void testRefreshWithExpiredTokenAndUnsuccessfulRefresh() {
 
         // Set the current access token to be expired
         mockOAuth2AccessToken.setExpiration(
-                new Date(System.currentTimeMillis() - 1000)); // Set expiration in the past
+                new Date(
+                        System.currentTimeMillis()
+                                - 5 * 60 * 1000)); // Set expiration in the past (5 minutes)
         serviceDelegate.currentAccessToken = mockOAuth2AccessToken;
 
         // Mock the RestTemplate exchange method to simulate failure in all attempts to refresh the