diff --git a/glide.lock b/glide.lock
index 592c9498b86c45d6fd0103fd921dbdb037bf2baf..a4741bda460735b3ebfc9ce7d175aac65d761d4e 100644
--- a/glide.lock
+++ b/glide.lock
@@ -1,12 +1,12 @@
-hash: 723f2faad8f09a97ffb5ce647705b8ee41dbf2f81f91488c60f23d102789a23b
-updated: 2016-12-08T11:11:10.172119799-08:00
+hash: 22c01c4265c210fbf3cd2d55e9451b924a3301e35053c82ebe35171ab7286c83
+updated: 2017-01-06T15:38:29.812891187-08:00
 imports:
 - name: github.com/cockroachdb/cockroach-go
   version: 31611c0501c812f437d4861d87d117053967c955
   subpackages:
   - crdb
 - name: github.com/coreos/go-oidc
-  version: dedb650fb29c39c2f21aa88c1e4cec66da8754d1
+  version: 2b5d73091ea4b7ddb15e3ac00077f153120b5b61
 - name: github.com/ghodss/yaml
   version: bea76d6a4713e18b7f5321a2b020738552def3ea
 - name: github.com/go-sql-driver/mysql
diff --git a/glide.yaml b/glide.yaml
index 901d8eb0d667a4cb7994655dfa1a25fbfca5362b..650bd8bfcf240b4e4d346f4b7ce99ab090d403d7 100644
--- a/glide.yaml
+++ b/glide.yaml
@@ -66,7 +66,7 @@ import:
 
 # Used for server integration tests and OpenID Connect connector.
 - package: github.com/coreos/go-oidc
-  version: dedb650fb29c39c2f21aa88c1e4cec66da8754d1
+  version: 2b5d73091ea4b7ddb15e3ac00077f153120b5b61
 - package: github.com/pquerna/cachecontrol
   version: c97913dcbd76de40b051a9b4cd827f7eaeb7a868
 - package: golang.org/x/oauth2
diff --git a/vendor/github.com/coreos/go-oidc/verify.go b/vendor/github.com/coreos/go-oidc/verify.go
index 13c0f9347e8a6dd673c649bb6d73871349f6ea28..67185a267e6454b268f313742c9196466e6c740c 100644
--- a/vendor/github.com/coreos/go-oidc/verify.go
+++ b/vendor/github.com/coreos/go-oidc/verify.go
@@ -145,6 +145,13 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok
 		}
 	}
 
+	// If a checkExpiry is specified, make sure token is not expired.
+	if v.config.checkExpiry != nil {
+		if t.Expiry.Before(v.config.checkExpiry()) {
+			return nil, fmt.Errorf("oidc: token is expired (Token Expiry: %v)", t.Expiry)
+		}
+	}
+
 	// If a set of required algorithms has been provided, ensure that the signatures use those.
 	var keyIDs, gotAlgs []string
 	for _, sig := range jws.Signatures {