diff --git a/Gopkg.lock b/Gopkg.lock
index 19c556d8015..61c3ad33d2d 100644
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -292,8 +292,8 @@
     "token/hmac",
     "token/jwt"
   ]
-  revision = "e9339d73eb39b15ffdb4b9a62ddc1ff1ba512530"
-  version = "v0.19.2"
+  revision = "aaec9940e2c3fc5a696b3d174d517a6ff1490a6f"
+  version = "v0.19.3"
 
 [[projects]]
   branch = "master"
@@ -622,6 +622,6 @@
 [solve-meta]
   analyzer-name = "dep"
   analyzer-version = 1
-  inputs-digest = "04333074b175da14c23eb84a8ae97ba2ab342489de4d7c1e577a834094d609d3"
+  inputs-digest = "adc1f171d58384cbfd8fb0fbda947a3d1deba93d81250ec6cdda09323af18c4a"
   solver-name = "gps-cdcl"
   solver-version = 1
diff --git a/Gopkg.toml b/Gopkg.toml
index 85a10db70d7..f08498cabfc 100644
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -75,7 +75,7 @@
 
 [[constraint]]
   name = "github.com/ory/fosite"
-  version = "0.19.2"
+  version = "0.19.3"
 
 [[constraint]]
   name = "github.com/ory/graceful"
diff --git a/consent/strategy_default.go b/consent/strategy_default.go
index 0cc5bab0a33..183cad7ca98 100644
--- a/consent/strategy_default.go
+++ b/consent/strategy_default.go
@@ -289,6 +289,13 @@ func (s *DefaultStrategy) verifyAuthentication(w http.ResponseWriter, r *http.Re
 		return nil, errors.WithStack(fosite.ErrServerError.WithDebug("The login request is marked as remember, but the subject from the login confirmation does not match the original subject from the cookie."))
 	}
 
+	authTime := session.AuthenticatedAt
+	if session.AuthenticatedAt.After(session.RequestedAt) {
+		// If we authenticated after the initial request hit the /oauth2/auth endpoint, we can update the
+		// auth time to now which will resolve issues with very short max_age times
+		authTime = time.Now().UTC()
+	}
+
 	if err := s.OpenIDConnectRequestValidator.ValidatePrompt(&fosite.AuthorizeRequest{
 		ResponseTypes: req.GetResponseTypes(),
 		RedirectURI:   req.GetRedirectURI(),
@@ -306,7 +313,7 @@ func (s *DefaultStrategy) verifyAuthentication(w http.ResponseWriter, r *http.Re
 					Subject:     session.Subject,
 					IssuedAt:    time.Now().UTC(),                // doesn't matter
 					ExpiresAt:   time.Now().Add(time.Hour).UTC(), // doesn't matter
-					AuthTime:    session.AuthenticatedAt,
+					AuthTime:    authTime,
 					RequestedAt: session.RequestedAt,
 				},
 				Headers: &jwt.Headers{},
diff --git a/oauth2/oauth2_auth_code_test.go b/oauth2/oauth2_auth_code_test.go
index 0c71967b2f7..98a95436b7a 100644
--- a/oauth2/oauth2_auth_code_test.go
+++ b/oauth2/oauth2_auth_code_test.go
@@ -451,7 +451,7 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 				},
 				{
 					d:       "should not cause issues if max_age is very low and consent takes a long time",
-					authURL: oauthConfig.AuthCodeURL("some-hardcoded-state") + "&max_age=1",
+					authURL: oauthConfig.AuthCodeURL("some-hardcoded-state") + "&max_age=2",
 					//cj:      persistentCJ,
 					lph: func(t *testing.T) func(w http.ResponseWriter, r *http.Request) {
 						return func(w http.ResponseWriter, r *http.Request) {
@@ -472,7 +472,7 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 							require.NoError(t, err)
 							require.EqualValues(t, http.StatusOK, res.StatusCode)
 
-							time.Sleep(time.Second * 2)
+							time.Sleep(time.Second * 3)
 
 							v, res, err := apiClient.AcceptConsentRequest(r.URL.Query().Get("consent_challenge"), swagger.AcceptConsentRequest{
 								GrantScope: []string{"hydra", "openid"},