Information on required `iat` claim missing

[astaykov]

The documentation about workload identity federation is missing particularly important information about required iat (issued at) claim.

Azure AD does not accept tokens that do not have the iat claim.

If one provides a JWT token with all valid other claims (iss, sub, nbf, exp, aud), but missing iat, Azure AD token endpoint will complain with:

{
    "error": "invalid_request",
    "error_description": "AADSTS70023: External OIDC Provider token must have a lifetime of less than or equal to 1.01:00:00. Token issued at 0. Token expires on 1643129773.\r\nTrace ID: 672d2e00-1b99-46e3-b386-c96efb275700\r\nCorrelation ID: a4cfb210-af5c-4f97-a110-6aed81e71661\r\nTimestamp: 2022-01-25 15:56:23Z",
    "error_codes": [
        70023
    ],
    "timestamp": "2022-01-25 15:56:23Z",
    "trace_id": "672d2e00-1b99-46e3-b386-c96efb275700",
    "correlation_id": "a4cfb210-af5c-4f97-a110-6aed81e71661",
    "error_uri": "https://login.microsoftonline.com/error?code=70023"
}

I believe this to be an important requirement and must be mentioned.

Even more, according to RFC 7519, section 4.1.6. this claim is OPTIONAL (ref. https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6). So, if Azure AD requires it, it should be explicitly made clear.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 112d73f5-05dc-a709-fb3b-de4f1eee1338
• Version Independent ID: 304c98c3-8226-ce31-076c-d75b101081a5
• Content: Create a trust relationship between an app and an external identity provider - Microsoft identity platform
• Content Source: articles/active-directory/develop/workload-identity-federation-create-trust.md
• Service: active-directory
• Sub-service: develop
• GitHub Login: @rwike77
• Microsoft Alias: ryanwi

[JamesTran-MSFT]

@astaykov Thanks for your feedback! I've assigned this issue to the author who will investigate and update as appropriate.

[rwike77]

@astaykov Thanks for bringing this up, I'm following up with engineering on this.

[rwike77]

@astaykov According to this article the iat claim is not required. The token lifetime is being determined by the exp and nbf claims. lifetime = exp - nbf.

[astaykov]

@rwike77 If something has not changed since I raised the issue, the provided error message proves your stament wrong. And while I do read documentation, I provide feedback based on empirical trials. So would you mind checking with engineering, or try it yourself, before closing this one.

[rwike77]

We had some internal discussion, you're right. iat is required right now. I added it to the list of claims in this article and added a few links to it from other workload identity federation articles. Thanks for bringing this issue up. I'm closing this now, feel free to reopen if necessary. #please-close