JWT Authorization Grant: Always getting “Token was issued too far in the past to be used now” for EntraID issued tokens #46303
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
oidc
Describe the bug
Having a JWT Authorization Grant identity provider configured to create a generic trust relationship with an EntraId tenant:
And an OpenID Connect Client:
Every attempt to get a token from keycloak results in "Token was issued too far in the past to be used now" error
Version
26.5.3
Regression
- The issue is a regression
Expected behavior
A valid token from keycloak
Actual behavior
Always receiving "Token was issued too far in the past to be used now" error
How to Reproduce?
- Configure IdP and client as depicted in the bug description.
- Request a token from Entra Id for an App Registration (Service Principal) using:
- POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token endpoint with grant_type = client_credentials
- Request a keycloak token using as depicted in the bug description
Anything else?
EntraID issues the token with an iat 5 minutes before the actual request of the token, this results in a already 5 minutes old token right after the token is issued, also setting "Max allowed assertion expiration" and/or "Allowed clock skew" to more than 5 minutes results in the same error.
Keycloak is deployed on containerized App Services in Azure, server clock is in UTC and synchronized, time synchronization issue should be very unlikely.