Share via

OAuth tokens endpoint issues expired token

Andrii Malesh 5 Reputation points
2023-09-28T09:19:52.43+00:00
  • We have a Web App that supports a Single Sign-On via Azure
  • We have a corresponding app registration within the AD
  • We are using a hybrid authentication flow
  • The flow has been previously tested with several other registrations and works fine except for this one specific tenant (tried several registrations from the tenant, all have the same issue)
  • The endpoint used to issue a token is: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token

The flow uses an id token that needs to be verified first. A popular NodeJS package is used to verify the token. The problem is that a token always fails to be verified. This is due to the lifetime and expiration of the token, which are represented by the iat and exp properties within the token payload.
For example, a token with a payload such as:

{
...,
"iat": 1695209618,
"nbf": 1695209618,
"exp": 1695209918,
...,
"auth_time": 1695209915,
...}

The problem with those values is that this token was requested at 1695209915 , which is almost 5 minutes after the iat . So the first part of the problem is that the endpoint always issues a token which is almost 5 minutes old. The second part of the problem is the fact that by the time the token arrives to the server it's always already expired. So unless you ignore the token expiry, it can never be validated. FYI, the token from the example above was received by 1695209919, which is exactly after it had expired.

To recap the weird moments:

  • A token is always issued as 5 minutes old
  • The iat is always before the auth_time
  • By the time the token arrives, it's already expired
  • The token lifetime is only 5 minutes (I read in the Azure docs that the minimum lifetime for an id token is 10 minutes)

What we have tried so far:

  • Re-registered the application
  • Double-checked all endpoints and client credentials
  • Inspecting the tokens closely

We would appreciate directions and suggestions, from more experienced Azure Identity Platform users, about where to look at to debug and find the cause of the problem.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andrii Malesh 5 Reputation points
    2024-10-31T17:55:40.5133333+00:00

    The problem was in the max_age query parameter of the authorization URL provided by our client (the one that a client redirects a user to in order to get an authorization code). The max_age had a value of 0 (e.g. max_age=0) which for some reason caused Entra to issue an authorization code that would provide a token that was seemingly issued 5 minutes in the past and immediately expired in the present. We fixed it by removing the query parameter altogether. This resulted into getting a token with the default 60-90 minutes lifetime. More about the query parameter can be read in the OIDC specification.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.