diff --git a/pkg/openid/provider/provider.go b/pkg/openid/provider/provider.go
index 193ae73..030542b 100644
--- a/pkg/openid/provider/provider.go
+++ b/pkg/openid/provider/provider.go
@@ -41,7 +41,7 @@ func (p *JwksProvider) RefreshPublicJwkSet(ctx context.Context) (*jwk.Set, error
 	defer p.jwksLock.Unlock()
 
 	// redirect to cache if recently refreshed to avoid overwhelming provider
-	diff := time.Now().Sub(p.jwksLock.lastRefresh)
+	diff := time.Since(p.jwksLock.lastRefresh)
 	if diff < JwkMinimumRefreshInterval {
 		return p.GetPublicJwkSet(ctx)
 	}
diff --git a/pkg/session/handler.go b/pkg/session/handler.go
index b0bacd3..6d0484c 100644
--- a/pkg/session/handler.go
+++ b/pkg/session/handler.go
@@ -68,7 +68,7 @@ func (h *Handler) Create(r *http.Request, tokens *openid.Tokens, sessionLifetime
 	}
 
 	key := h.Key(externalSessionID)
-	tokenExpiresIn := tokens.Expiry.Sub(time.Now())
+	tokenExpiresIn := time.Until(tokens.Expiry)
 	metadata := NewMetadata(tokenExpiresIn, sessionLifetime)
 	encrypted, err := NewData(externalSessionID, tokens, metadata).Encrypt(h.crypter)
 	if err != nil {