Closed astaykov closed 2 years ago
@astaykov Thanks for your feedback! I've assigned this issue to the author who will investigate and update as appropriate.
@astaykov Thanks for bringing this up, I'm following up with engineering on this.
@astaykov According to this article the iat
claim is not required. The token lifetime is being determined by the exp
and nbf
claims. lifetime = exp
- nbf
.
@rwike77 If something has not changed since I raised the issue, the provided error message proves your stament wrong. And while I do read documentation, I provide feedback based on empirical trials. So would you mind checking with engineering, or try it yourself, before closing this one.
We had some internal discussion, you're right. iat is required right now. I added it to the list of claims in this article and added a few links to it from other workload identity federation articles. Thanks for bringing this issue up. I'm closing this now, feel free to reopen if necessary. #please-close
The documentation about workload identity federation is missing particularly important information about required
iat
(issued at) claim.Azure AD does not accept tokens that do not have the
iat
claim.If one provides a JWT token with all valid other claims (
iss
,sub
,nbf
,exp
,aud
), but missingiat
, Azure AD token endpoint will complain with:I believe this to be an important requirement and must be mentioned.
Even more, according to RFC 7519, section 4.1.6. this claim is OPTIONAL (ref. https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6). So, if Azure AD requires it, it should be explicitly made clear.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.