Background on JWT authn filter skew default

[pauldthomson]

Description: The below commit added a default clock skew to the JWT authn filter, and mentions that a skew buffer is recommended and seems to use 60s as that's what GRPC uses. I'm wondering if there's any more context to this? We have hit some issues relating to tokens traversing envoy and non envoy proxied services due to this. Before removing/changing the setting, I just wanted to check there was no rationale that I'm missing, as my naive take is why would someone care so much that a token with say 15m validity expired in 14m30s cos of clock skew?

Thanks for any input.

[optional Relevant Links:] https://github.com/envoyproxy/envoy/commit/cd684e76bda80e140ab90573815f1990ec6f2a6f