Closed bgavrilMS closed 5 months ago
CC @jiasli
That was not a bug. It was a feature, required by the JWT specs. Also, the OIDC specs defines ID token validation requirements which mentions SSL connection can only be used to replace the issuer check in step 6 but not the other steps. Those specs even used the term "MUST" which has its specific meaning.
That being said, it is technically OK to choose a larger time skew allowance and still be specs-compliant. It is perhaps also fine if we choose to drop this feature.
Out of curiosity, what was the context of this ask? We have a reasonably small built-in clock skew allowance that works in the wild for years now. Occasionally I did run into that "ID token is not yet valid" error but that's typically when I was using an out-of-sync VM.
Note that, a machine with huge time skew is a problem in itself. The SSL stack would usually fail validation somewhere, without even providing a meaningful error.
Lastly, the context here is about how or whether to perform ID token validation. Access token's specs (OAuth2) is completely different, thus not applicable in the ID token context.
How about change the current error message to use local time, such as "The ID token is not yet valid. Make sure your computer's time and time zone are both correct. Current time on your machine is 12:34PM. The id_token has an issue time at 13:45PM".
UPDATE: After some thought experiment, the next version of MSAL Python will not validate ID token's time.
Describe the bug
WSL + Azure CLI uses MSAL for auth in a public client scenario. Upon receiving an ID Token, MSAL validates it and fails due to invalid
nbf
with error "The ID token is not yet valid"Root cause
Looks like MSAL Py tries to validate the id token as follows:
However, due to a clock skew, MSAL Py raises an error.
Clients should not validate the id token's
nbf
andexp
claim. In case of access tokens, the STS returns an expiry duration in the token response to help clients cache the access tokens correctly.At a minimum remove
nbf
andexp
validation. Ideally remove all token validation logic - other MSALs do not perform this and rely on having had an SSL connection with the token issuer.