Friday, October 27, 2017

Azure : Weird problem with OAuth timing

Came across a head-scratcher recently.

Using OpenID Connect / OAuth against Azure AD, authentication would always fail and then work if you retried two minutes later. Before that, retries would consistently fail.

WTF? What is the significance of two minutes?

Mr. Google to the rescue and came across a similar problem in SAML-P.

The problem here was that the two servers clocks were not synchronised. The token has start / end parameters for the validity of the token and any time outside of these is considered invalid and hence the token is rejected. (You can fix this via the skew parameter),

The OAuth JWT token has similar fields viz.

iat - Issued at
nbf - Not before

Checking the respective server's times, this would indeed the problem :-)

And you guessed it - the server's times were two minutes apart!

Enjoy!

No comments: