Entra(Azure) ID OIDC clock skew config item. #2055
Description
Hello!
- Vote on this issue by adding a 👍 reaction
- If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)
Issue details
As described in #339 it is still to this day impossible to configure Entra ID(Azure) OIDC where it actually works and signs in, without "disableIssuedAtCheck": true which seems to be an important security feature.
The clock skew seems to be something Microsoft does intentionally, paraphrasing from a microsoft related lib issue AzureAD/microsoft-authentication-library-for-js#512
The need of the clock skew is to avoid situations where the client clock and the token issuing service clock are not exactly in sync.
It seems there a mentions around the internet that you can disable the skew from within your Entra ID config but it seems to have been retracted since, and there is no official/public documentation on it.
Could this possibly be solved or made more secure? So instead of disabling the check alltogether, you could have a config item for OIDC where you can "loosen the skew check" to 5m or 10m when such issues arises from different providers not being 100% compliant.
Why is this needed?
I think it would be good to support Entra ID(Azure) so that the OIDC actually works as intended, and that you can make the "disableIssuedAtCheck": true less strict but not completely disable it.