Impact of updating Skew Clock property under message security in WSM domain

Hi,

We need to understand the impact of updating skew clock property under the message security tab in the WSM domain configuration of the WebLogic server.

Currently, we need to implement an Oauth2 token authorization service in SOA BPEL service and get the refreshed token from Microsoft token provider service immediately after the token expires.

But we find that the JWT Token received from Microsoft gets stored in WSM cache-store until it expired.

JWT token lifetime was affected by clock skew property value set under the message security tab in WSM domain configuration.

Skew Clock : 360,000 ms

JWT Token Actual Lifetime: 1 hour

JWT Token Actual Start-Time: Issued At Time (IAT) attached with the token

JWT Token Updated Start time after Skew Clock Consideration: IAT - Skew Clock

JWT Token Actual End-Time: Expire At Time  (exp) attached with the token

JWT Token Updated End time after Skew Clock Consideration: EXP + Skew Clock

The exceptions were received between the period of JWT token Actual end-time(expired at client side) and the JWT token expiry time in the WebLogic server.

By this, we got to understand that the client machine runs in the same clock time as the WebLogic server. So, in this case, as the client skew clock value has 0ms(zero) we need to have server skew clock value to be updated from 360,000ms (default) to 0ms(zero) in order to be in sync.

Our Questions are,

1. Can skew clock property under the message security section of the WSM Domain configuration of the WebLogic Server can be set to 0ms?

2. What if, when WebLogic server needs to connect with multiple clients with different clock times. How should be the skew clock configured to have no exceptions and data loss?