Please follow code style - spaces etc... (will help get your PR into the project)
leeway is an undescriptive variable name. Probably worth renaming to jwtExpiryLeewayMs (or similar)
Should be documented somewhere?
Should be tested
As for accepting the PR - I'll need to speak about it with the team and we'll review to see if we believe it is good practice to bake in security workarounds/relaxations into an official client for AC.
If we choose not to, I would suggest that we re-architect this change to allow overriding the retrieval of the JWT token or token expiry which would allow you to have custom handlers without worrying about a fork of the lib.