search

AzureAD / microsoft-authentication-library-for-python

Microsoft Authentication Library (MSAL) for Python makes it easy to authenticate to Microsoft Entra ID. General docs are available here https://learn.microsoft.com/entra/msal/python/ Stable APIs are documented here https://msal-python.readthedocs.io. Questions can be asked on www.stackoverflow.com with tag "msal" + "python".
https://stackoverflow.com/questions/tagged/azure-ad-msal+python
Other
754 stars 191 forks source link

[Bug] MSAL should not attempt to validate the ID Token #656

Closed bgavrilMS closed 5 months ago

bgavrilMS commented 5 months ago

Describe the bug

WSL + Azure CLI uses MSAL for auth in a public client scenario. Upon receiving an ID Token, MSAL validates it and fails due to invalid nbf with error "The ID token is not yet valid"

Root cause

Looks like MSAL Py tries to validate the id token as follows:

However, due to a clock skew, MSAL Py raises an error.

Clients should not validate the id token's nbf and exp claim. In case of access tokens, the STS returns an expiry duration in the token response to help clients cache the access tokens correctly.

At a minimum remove nbf and exp validation. Ideally remove all token validation logic - other MSALs do not perform this and rely on having had an SSL connection with the token issuer.

bgavrilMS commented 5 months ago

CC @jiasli

rayluo commented 5 months ago

That was not a bug. It was a feature, required by the JWT specs. Also, the OIDC specs defines ID token validation requirements which mentions SSL connection can only be used to replace the issuer check in step 6 but not the other steps. Those specs even used the term "MUST" which has its specific meaning.

That being said, it is technically OK to choose a larger time skew allowance and still be specs-compliant. It is perhaps also fine if we choose to drop this feature.

Out of curiosity, what was the context of this ask? We have a reasonably small built-in clock skew allowance that works in the wild for years now. Occasionally I did run into that "ID token is not yet valid" error but that's typically when I was using an out-of-sync VM.

Note that, a machine with huge time skew is a problem in itself. The SSL stack would usually fail validation somewhere, without even providing a meaningful error.

Lastly, the context here is about how or whether to perform ID token validation. Access token's specs (OAuth2) is completely different, thus not applicable in the ID token context.

rayluo commented 5 months ago

How about change the current error message to use local time, such as "The ID token is not yet valid. Make sure your computer's time and time zone are both correct. Current time on your machine is 12:34PM. The id_token has an issue time at 13:45PM".

rayluo commented 5 months ago

UPDATE: After some thought experiment, the next version of MSAL Python will not validate ID token's time.