OAuth tokens endpoint issues expired token
- We have a Web App that supports a Single Sign-On via Azure
- We have a corresponding app registration within the AD
- We are using a hybrid authentication flow
- The flow has been previously tested with several other registrations and works fine except for this one specific tenant (tried several registrations from the tenant, all have the same issue)
- The endpoint used to issue a token is:
https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
The flow uses an id token that needs to be verified first. A popular NodeJS package is used to verify the token. The problem is that a token always fails to be verified. This is due to the lifetime and expiration of the token, which are represented by the iat
and exp
properties within the token payload.
For example, a token with a payload such as:
{
...,
"iat": 1695209618,
"nbf": 1695209618,
"exp": 1695209918,
...,
"auth_time": 1695209915,
...}
The problem with those values is that this token was requested at 1695209915
, which is almost 5 minutes after the iat
. So the first part of the problem is that the endpoint always issues a token which is almost 5 minutes old. The second part of the problem is the fact that by the time the token arrives to the server it's always already expired. So unless you ignore the token expiry, it can never be validated.
FYI, the token from the example above was received by 1695209919
, which is exactly after it had expired.
To recap the weird moments:
- A token is always issued as 5 minutes old
- The
iat
is always before theauth_time
- By the time the token arrives, it's already expired
- The token lifetime is only 5 minutes (I read in the Azure docs that the minimum lifetime for an id token is 10 minutes)
What we have tried so far:
- Re-registered the application
- Double-checked all endpoints and client credentials
- Inspecting the tokens closely
We would appreciate directions and suggestions, from more experienced Azure Identity Platform users, about where to look at to debug and find the cause of the problem.