Azure-docs: Azure B2C refresh id_token returns incorrect auth_time

Created on 11 May 2020 · 6Comments · Source: MicrosoftDocs/azure-docs

When using OIDC code flow with PKCE and refresh tokens, the id_token returned in the refresh has an incorrect auth_time claim value. It returns the new issued time, and not the original.

From the OIDC specs

its iat Claim MUST represent the time that the new ID Token is issued, if the ID Token contains an auth_time Claim, its value MUST represent the time of the original authentication - not the time that the new ID token is issued,

This is a bug in the public client Azure B2C implementation.

B2subsvc Pri3 active-directorsvc cxp product-question triaged

Source

damienbod

All 6 comments

@damienbod can you post a link to the azure doc you are referring to?

TravisCragg-MSFT on 11 May 2020

The auth_time is the last time the application (or user) initiated an authentication attempt against Azure AD B2C. https://docs.microsoft.com/en-us/azure/active-directory-b2c/tokens-overview

Can you please link the implementation guide that you are following?

MarileeTurscak-MSFT on 12 May 2020

👍1

@TravisCragg-MSFT @MarileeTurscak-MSFT

https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse

Greetings Damien

damienbod on 12 May 2020

Hi @damienbod,

Thanks. Based on that doc there does appear to be a discrepancy. I have reported this and requested a fix.

MarileeTurscak-MSFT on 15 May 2020

👍1

@MarileeTurscak-MSFT So will the Azure B2C implemention be fixed, because it has a bug, this is NOT a docs bug, but an Azure B2C server implementation bug. I was reporting the implementation bug here, because I have no idea where this should have been reported. Can you point me to the new issue?

Thanks and greetings Damien

damienbod on 15 May 2020

Can I also request a link to the new issue? I'd like to know if there are plans for this to be addressed or If I should find an alternative approach to using auth_time.