diff --git a/Gopkg.lock b/Gopkg.lock
index 4f76e1ee78..05984f80fe 100644
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -304,8 +304,8 @@
     "token/hmac",
     "token/jwt"
   ]
-  revision = "0fcbfea741d0f0bb2a96d5fa08a2797a109a4a33"
-  version = "v0.21.2"
+  revision = "a07ce27c814538c7d0e6228ae814482be2e96e7e"
+  version = "v0.21.3"
 
 [[projects]]
   name = "github.com/ory/go-convenience"
@@ -637,6 +637,6 @@
 [solve-meta]
   analyzer-name = "dep"
   analyzer-version = 1
-  inputs-digest = "700a36282813a0278a88f04f52beabb3d91b479c4333be0521e132425e0da2bd"
+  inputs-digest = "ce71dd566bed8703317368f15ad1feac1c2c41c361346922e2da736f1ea99fc6"
   solver-name = "gps-cdcl"
   solver-version = 1
diff --git a/Gopkg.toml b/Gopkg.toml
index 9ef5612aa8..d370617307 100644
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -75,7 +75,7 @@
 
 [[constraint]]
   name = "github.com/ory/fosite"
-  version = "0.21.2"
+  version = "0.21.3"
 
 [[constraint]]
   name = "github.com/ory/graceful"
diff --git a/cmd/server/handler_oauth2_factory.go b/cmd/server/handler_oauth2_factory.go
index bdc4d5afec..e123560778 100644
--- a/cmd/server/handler_oauth2_factory.go
+++ b/cmd/server/handler_oauth2_factory.go
@@ -66,6 +66,7 @@ func newOAuth2Provider(c *config.Config) fosite.OAuth2Provider {
 		AccessTokenLifespan:            c.GetAccessTokenLifespan(),
 		AuthorizeCodeLifespan:          c.GetAuthCodeLifespan(),
 		IDTokenLifespan:                c.GetIDTokenLifespan(),
+		IDTokenIssuer:                  c.Issuer,
 		HashCost:                       c.BCryptWorkFactor,
 		ScopeStrategy:                  c.GetScopeStrategy(),
 		SendDebugMessagesToClients:     c.SendOAuth2DebugMessagesToClients,
@@ -78,7 +79,11 @@ func newOAuth2Provider(c *config.Config) fosite.OAuth2Provider {
 	if err != nil {
 		c.GetLogger().WithError(err).Fatalf("Unable to refresh OpenID Connect signing keys.")
 	}
-	oidcStrategy := &openid.DefaultStrategy{JWTStrategy: jwtStrategy}
+	oidcStrategy := &openid.DefaultStrategy{
+		JWTStrategy: jwtStrategy,
+		Expiry:      c.GetIDTokenLifespan(),
+		Issuer:      c.Issuer,
+	}
 
 	var coreStrategy foauth2.CoreStrategy
 	hmacStrategy := compose.NewOAuth2HMACStrategy(fc, c.GetSystemSecret())
@@ -205,8 +210,8 @@ func newOAuth2Handler(c *config.Config, frontend, backend *httprouter.Router, cm
 		OpenIDJWTStrategy:      openIDJWTStrategy,
 		AccessTokenJWTStrategy: accessTokenJWTStrategy,
 		AccessTokenStrategy:    c.OAuth2AccessTokenStrategy,
-		IDTokenLifespan:        c.GetIDTokenLifespan(),
-		ShareOAuth2Debug:       c.SendOAuth2DebugMessagesToClients,
+		//IDTokenLifespan:        c.GetIDTokenLifespan(),
+		ShareOAuth2Debug: c.SendOAuth2DebugMessagesToClients,
 	}
 
 	handler.SetRoutes(frontend, backend)
diff --git a/oauth2/handler.go b/oauth2/handler.go
index b5b0bd8006..5920dcdd69 100644
--- a/oauth2/handler.go
+++ b/oauth2/handler.go
@@ -625,10 +625,11 @@ func (h *Handler) AuthHandler(w http.ResponseWriter, r *http.Request, _ httprout
 			Claims: &jwt.IDTokenClaims{
 				// We do not need to pass the audience because it's included directly by ORY Fosite
 				//Audience:    []string{authorizeRequest.GetClient().GetID()},
-				Subject:     session.ConsentRequest.SubjectIdentifier,
-				Issuer:      strings.TrimRight(h.IssuerURL, "/") + "/",
-				IssuedAt:    time.Now().UTC(),
-				ExpiresAt:   time.Now().Add(h.IDTokenLifespan).UTC(),
+				Subject:  session.ConsentRequest.SubjectIdentifier,
+				Issuer:   strings.TrimRight(h.IssuerURL, "/") + "/",
+				IssuedAt: time.Now().UTC(),
+				// This is set by the fosite strategy
+				//ExpiresAt:   time.Now().Add(h.IDTokenLifespan).UTC(),
 				AuthTime:    session.AuthenticatedAt,
 				RequestedAt: session.RequestedAt,
 				Extra:       session.Session.IDToken,
diff --git a/oauth2/handler_struct.go b/oauth2/handler_struct.go
index 362d56507b..72ca106e8e 100644
--- a/oauth2/handler_struct.go
+++ b/oauth2/handler_struct.go
@@ -44,8 +44,8 @@ type Handler struct {
 	ErrorURL   url.URL
 
 	AccessTokenLifespan time.Duration
-	IDTokenLifespan     time.Duration
-	CookieStore         sessions.Store
+	//IDTokenLifespan     time.Duration
+	CookieStore sessions.Store
 
 	OpenIDJWTStrategy      jwk.JWTStrategy
 	AccessTokenJWTStrategy jwk.JWTStrategy
diff --git a/oauth2/introspector_test.go b/oauth2/introspector_test.go
index 6357f59804..f9983aa756 100644
--- a/oauth2/introspector_test.go
+++ b/oauth2/introspector_test.go
@@ -65,7 +65,7 @@ func TestIntrospectorSDK(t *testing.T) {
 			memoryStore,
 			&compose.CommonStrategy{
 				CoreStrategy:               compose.NewOAuth2HMACStrategy(fc, []byte("1234567890123456789012345678901234567890")),
-				OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(pkg.MustINSECURELOWENTROPYRSAKEYFORTEST()),
+				OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(fc, pkg.MustINSECURELOWENTROPYRSAKEYFORTEST()),
 			},
 			nil,
 			compose.OAuth2AuthorizeExplicitFactory,
diff --git a/oauth2/oauth2_auth_code_test.go b/oauth2/oauth2_auth_code_test.go
index 96a20bdde6..eaff87af60 100644
--- a/oauth2/oauth2_auth_code_test.go
+++ b/oauth2/oauth2_auth_code_test.go
@@ -185,11 +185,12 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 							compose.OAuth2TokenRevocationFactory,
 							compose.OAuth2TokenIntrospectionFactory,
 						),
-						Consent:         consentStrategy,
-						CookieStore:     cookieStore,
-						H:               herodot.NewJSONWriter(l),
-						ScopeStrategy:   fosite.ExactScopeStrategy,
-						IDTokenLifespan: time.Minute, IssuerURL: ts.URL, ForcedHTTP: true, L: l,
+						Consent:       consentStrategy,
+						CookieStore:   cookieStore,
+						H:             herodot.NewJSONWriter(l),
+						ScopeStrategy: fosite.ExactScopeStrategy,
+						//IDTokenLifespan: time.Minute,
+						IssuerURL: ts.URL, ForcedHTTP: true, L: l,
 						OpenIDJWTStrategy: jwtStrategy,
 					}
 					handler.SetRoutes(router, router)
@@ -734,13 +735,13 @@ func TestAuthCodeWithMockStrategy(t *testing.T) {
 					compose.OAuth2TokenRevocationFactory,
 					compose.OAuth2TokenIntrospectionFactory,
 				),
-				Consent:           consentStrategy,
-				CookieStore:       sessions.NewCookieStore([]byte("foo-secret")),
-				ForcedHTTP:        true,
-				L:                 l,
-				H:                 herodot.NewJSONWriter(l),
-				ScopeStrategy:     fosite.HierarchicScopeStrategy,
-				IDTokenLifespan:   time.Minute,
+				Consent:       consentStrategy,
+				CookieStore:   sessions.NewCookieStore([]byte("foo-secret")),
+				ForcedHTTP:    true,
+				L:             l,
+				H:             herodot.NewJSONWriter(l),
+				ScopeStrategy: fosite.HierarchicScopeStrategy,
+				//IDTokenLifespan:   time.Minute,
 				IssuerURL:         ts.URL,
 				OpenIDJWTStrategy: jwtStrategy,
 			}
diff --git a/oauth2/oauth2_client_credentials_test.go b/oauth2/oauth2_client_credentials_test.go
index 98c43af920..73efcd0de1 100644
--- a/oauth2/oauth2_client_credentials_test.go
+++ b/oauth2/oauth2_client_credentials_test.go
@@ -100,10 +100,10 @@ func TestClientCredentials(t *testing.T) {
 					compose.OAuth2TokenIntrospectionFactory,
 				),
 				//Consent:         consentStrategy,
-				CookieStore:       sessions.NewCookieStore([]byte("foo-secret")),
-				ForcedHTTP:        true,
-				ScopeStrategy:     fosite.HierarchicScopeStrategy,
-				IDTokenLifespan:   time.Minute,
+				CookieStore:   sessions.NewCookieStore([]byte("foo-secret")),
+				ForcedHTTP:    true,
+				ScopeStrategy: fosite.HierarchicScopeStrategy,
+				//IDTokenLifespan:   time.Minute,
 				H:                 herodot.NewJSONWriter(l),
 				L:                 l,
 				IssuerURL:         ts.URL,
diff --git a/oauth2/oauth2_helper_test.go b/oauth2/oauth2_helper_test.go
index 1fac6c32fd..66d3c7056b 100644
--- a/oauth2/oauth2_helper_test.go
+++ b/oauth2/oauth2_helper_test.go
@@ -33,11 +33,11 @@ import (
 var hasher = &fosite.BCrypt{}
 var oauth2OpqaueStrategy = &compose.CommonStrategy{
 	CoreStrategy:               compose.NewOAuth2HMACStrategy(fc, []byte("some super secret secret secret secret")),
-	OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(pkg.MustINSECURELOWENTROPYRSAKEYFORTEST()),
+	OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(fc, pkg.MustINSECURELOWENTROPYRSAKEYFORTEST()),
 }
 var oauth2JWTStrategy = &compose.CommonStrategy{
 	CoreStrategy:               compose.NewOAuth2JWTStrategy(pkg.MustINSECURELOWENTROPYRSAKEYFORTEST(), compose.NewOAuth2HMACStrategy(fc, []byte("some super secret secret secret secret"))),
-	OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(pkg.MustINSECURELOWENTROPYRSAKEYFORTEST()),
+	OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(fc, pkg.MustINSECURELOWENTROPYRSAKEYFORTEST()),
 }
 
 var fc = &compose.Config{
diff --git a/oauth2/revocator_test.go b/oauth2/revocator_test.go
index 12e23f4ec9..c7fcca15c6 100644
--- a/oauth2/revocator_test.go
+++ b/oauth2/revocator_test.go
@@ -81,7 +81,7 @@ func TestRevoke(t *testing.T) {
 			store,
 			&compose.CommonStrategy{
 				CoreStrategy:               compose.NewOAuth2HMACStrategy(fc, []byte("1234567890123456789012345678901234567890")),
-				OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(pkg.MustINSECURELOWENTROPYRSAKEYFORTEST()),
+				OpenIDConnectTokenStrategy: compose.NewOpenIDConnectStrategy(fc, pkg.MustINSECURELOWENTROPYRSAKEYFORTEST()),
 			},
 			nil,
 			compose.OAuth2TokenIntrospectionFactory,