OAuth tokens endpoint issues expired token

Andrii Malesh 5 Reputation points
2023-09-28T09:19:52.43+00:00
  • We have a Web App that supports a Single Sign-On via Azure
  • We have a corresponding app registration within the AD
  • We are using a hybrid authentication flow
  • The flow has been previously tested with several other registrations and works fine except for this one specific tenant (tried several registrations from the tenant, all have the same issue)
  • The endpoint used to issue a token is: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token

The flow uses an id token that needs to be verified first. A popular NodeJS package is used to verify the token. The problem is that a token always fails to be verified. This is due to the lifetime and expiration of the token, which are represented by the iat and exp properties within the token payload.
For example, a token with a payload such as:

{
...,
"iat": 1695209618,
"nbf": 1695209618,
"exp": 1695209918,
...,
"auth_time": 1695209915,
...}

The problem with those values is that this token was requested at 1695209915 , which is almost 5 minutes after the iat . So the first part of the problem is that the endpoint always issues a token which is almost 5 minutes old. The second part of the problem is the fact that by the time the token arrives to the server it's always already expired. So unless you ignore the token expiry, it can never be validated. FYI, the token from the example above was received by 1695209919, which is exactly after it had expired.

To recap the weird moments:

  • A token is always issued as 5 minutes old
  • The iat is always before the auth_time
  • By the time the token arrives, it's already expired
  • The token lifetime is only 5 minutes (I read in the Azure docs that the minimum lifetime for an id token is 10 minutes)

What we have tried so far:

  • Re-registered the application
  • Double-checked all endpoints and client credentials
  • Inspecting the tokens closely

We would appreciate directions and suggestions, from more experienced Azure Identity Platform users, about where to look at to debug and find the cause of the problem.

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,715 questions
{count} vote

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.