diff --git a/test/s3/iam/s3_iam_framework.go b/test/s3/iam/s3_iam_framework.go
index f9d022220..d23aef9e5 100644
--- a/test/s3/iam/s3_iam_framework.go
+++ b/test/s3/iam/s3_iam_framework.go
@@ -511,7 +511,15 @@ func (f *S3IAMTestFramework) CreateS3ClientWithSessionToken(sessionToken string)
 
 // CreateS3ClientWithKeycloakToken creates an S3 client using a Keycloak JWT token
 func (f *S3IAMTestFramework) CreateS3ClientWithKeycloakToken(keycloakToken string) (*s3.S3, error) {
-	// Create a fresh HTTP transport with aggressive timeouts to prevent hanging
+	// Determine response header timeout based on environment
+	responseHeaderTimeout := 10 * time.Second
+	overallTimeout := 30 * time.Second
+	if os.Getenv("GITHUB_ACTIONS") == "true" {
+		responseHeaderTimeout = 30 * time.Second // Longer timeout for CI JWT validation
+		overallTimeout = 60 * time.Second
+	}
+
+	// Create a fresh HTTP transport with appropriate timeouts
 	transport := &http.Transport{
 		DisableKeepAlives:     true, // Force new connections for each request
 		DisableCompression:    true, // Disable compression to simplify requests
@@ -519,13 +527,13 @@ func (f *S3IAMTestFramework) CreateS3ClientWithKeycloakToken(keycloakToken strin
 		MaxIdleConnsPerHost:   0,    // No connection pooling per host
 		IdleConnTimeout:       1 * time.Second,
 		TLSHandshakeTimeout:   5 * time.Second,
-		ResponseHeaderTimeout: 10 * time.Second,
+		ResponseHeaderTimeout: responseHeaderTimeout, // Adjustable for CI environments
 		ExpectContinueTimeout: 1 * time.Second,
 	}
 
-	// Create a custom HTTP client with aggressive timeouts
+	// Create a custom HTTP client with appropriate timeouts
 	httpClient := &http.Client{
-		Timeout: 30 * time.Second, // Overall request timeout
+		Timeout: overallTimeout, // Overall request timeout (adjustable for CI)
 		Transport: &BearerTokenTransport{
 			Token:     keycloakToken,
 			Transport: transport,
diff --git a/weed/iam/oidc/oidc_provider.go b/weed/iam/oidc/oidc_provider.go
index 021369370..e8f612731 100644
--- a/weed/iam/oidc/oidc_provider.go
+++ b/weed/iam/oidc/oidc_provider.go
@@ -79,7 +79,7 @@ type JWK struct {
 func NewOIDCProvider(name string) *OIDCProvider {
 	return &OIDCProvider{
 		name:       name,
-		httpClient: &http.Client{Timeout: 5 * time.Second}, // Reduced timeout for faster failures
+		httpClient: &http.Client{Timeout: 30 * time.Second},
 	}
 }
 
@@ -384,7 +384,7 @@ func (p *OIDCProvider) mapClaimsToRoles(claims *providers.TokenClaims) []string
 // mapClaimsToRolesWithConfig maps token claims to roles using configured role mapping
 func (p *OIDCProvider) mapClaimsToRolesWithConfig(claims *providers.TokenClaims) []string {
 	glog.V(3).Infof("mapClaimsToRolesWithConfig: RoleMapping is nil? %t", p.config.RoleMapping == nil)
-	
+
 	if p.config.RoleMapping == nil {
 		glog.V(2).Infof("No role mapping configured for provider %s, using legacy mapping", p.name)
 		// Fallback to legacy mapping if no role mapping configured
@@ -397,7 +397,7 @@ func (p *OIDCProvider) mapClaimsToRolesWithConfig(claims *providers.TokenClaims)
 	// Apply role mapping rules
 	for i, rule := range p.config.RoleMapping.Rules {
 		glog.V(3).Infof("Rule %d: claim=%s, value=%s, role=%s", i, rule.Claim, rule.Value, rule.Role)
-		
+
 		if rule.Matches(claims) {
 			glog.V(2).Infof("Rule %d matched! Adding role: %s", i, rule.Role)
 			roles = append(roles, rule.Role)