Entra ID issuing expired ID Tokens
We are integrating our application with SSO using Entra ID App Registrations and configuring OIDC.
When our application receives the ID token from Microsoft Entra, the iap
and exp
values seem invalid. This has been occurring for a few months now consistently, ever since we first started to integrate with Entra ID.
The problem is that the iat
claim is dated five minutes in the past, and the exp
claim is actually the time that I believe should be placed in the iat
.
Consequently, when the OIDC authentication module examines the token we end up rejecting it because it is already expired. I don't have this issue with other OIDC providers -- they seem to set iat
and exp
as expected.
If I am unable to find a solution for this problem I will have to add an additional "fudge factor" on top of the provided exp
so that our application can function against Microsoft Entra.
"iat": 1702682589 <-- always exactly 5 minutes in the past
"nbf": 1702682589
"exp": 1702682889 <-- always "right now"
Am I misunderstanding something? Any clarification is much appreciated -- thank you!