Entra ID issuing expired ID Tokens
We are integrating our application with SSO using Entra ID App Registrations and configuring OIDC.
When our application receives the ID token from Microsoft Entra, the iap and exp values seem invalid. This has been occurring for a few months now consistently, ever since we first started to integrate with Entra ID.
The problem is that the iat claim is dated five minutes in the past, and the exp claim is actually the time that I believe should be placed in the iat.
Consequently, when the OIDC authentication module examines the token we end up rejecting it because it is already expired. I don't have this issue with other OIDC providers -- they seem to set iat and exp as expected.
If I am unable to find a solution for this problem I will have to add an additional "fudge factor" on top of the provided exp so that our application can function against Microsoft Entra.
"iat": 1702682589 <-- always exactly 5 minutes in the past
"nbf": 1702682589
"exp": 1702682889 <-- always "right now"
Am I misunderstanding something? Any clarification is much appreciated -- thank you!
