Oidc-client-js: SilentRenew, auth_time in id_token does not match original auth_time

Created on 24 Feb 2020  路  11Comments  路  Source: IdentityModel/oidc-client-js

The title says it all, when i do a silent renew the call completes and the error i get is that "auth_time in id_token does not match original auth_time".

I'm using Azure B2C and this is how my UserManager is being set up:

private createUserManagerSettingsData(authority: string, profile: string): UserManagerSettings {
        return {
            authority: "https://localhost:5001/api/oidc/B2C_1_signupsignin1",
            client_id: this.data.client_id,
            redirect_uri: "https://localhost:5001/oidc-signin",
            response_type: "code",
            scope: "openid offline_access",
            post_logout_redirect_uri: "https://localhost:5001/oidc-signout",
            filterProtocolClaims: true,
            loadUserInfo: false,
            userStore: new WebStorageStateStore({ store: window.localStorage }),
            automaticSilentRenew: true,
            includeIdTokenInSilentRenew: true,
            silent_redirect_uri: "http://localhost:5001/assets/silent-callback.html",
            accessTokenExpiringNotificationTime: 60 * 4,
        };
    }

When silent renew kicks in the following error occurs:
UserManager._validateIdTokenFromTokenRefreshToken: auth_time in id_token does not match original auth_time

If anyone can point me in the right direction then that would be great since im struggling with this for a few days now.

question
Source
picture Taats

Most helpful comment

Well i doubt that is the case considering b2c is out for quite a while now.

You put a lot of faith into them. I can tell you there are several other areas where they don't follow the spec.

Do you have any guess on how my configuration could be wrong on the silent refresh?

No idea. Check their portal for token lifetime settings.

picture brockallen on 24 Feb 2020
😄1 👍1

All 11 comments

https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse

brockallen picture brockallen on 24 Feb 2020

Yeah i've read that. I do get an id_token back in the response from B2C which i then pass on to oidc-client (untouched b2c response is returned). This id_token is causing the problem.

When i manually remove this id_token from the reponse all goes well but the token in the oidc-client is not refreshed then (it only seems to be using a new refresh_token). So, in turn the token expires and i need to log in again.

What i dont understand is how these two auth times can differ. I do request the same scopes and when i try to refresh with no scope it still generates the same error.

Taats picture Taats on 24 Feb 2020

What i dont understand is how these two auth times can differ.

I don't know either. My guess? AB2C didn't follow the spec when they wrote their code.

brockallen picture brockallen on 24 Feb 2020
🎉1 😄1

Well i doubt that is the case considering b2c is out for quite a while now. Most likely it is not a problem with oidc-client either but a "simple" configuration setting - i just can't seem to find it.

Do you have any guess on how my configuration could be wrong on the silent refresh?

Taats picture Taats on 24 Feb 2020

Well i doubt that is the case considering b2c is out for quite a while now.

You put a lot of faith into them. I can tell you there are several other areas where they don't follow the spec.

Do you have any guess on how my configuration could be wrong on the silent refresh?

No idea. Check their portal for token lifetime settings.

brockallen picture brockallen on 24 Feb 2020
😄1 👍1

I guess I did put a lot of faith in them, to bad they didnt came through.

I've replaced the oidc-client with angular-auth-oidc-client (from Damienbod) and in there the silent-refresh does not yield errors. When i then inspect the token i received from Azure i can see the timestamps are different but appearently this library doesnt seem to care.

Thank you for pointing me in the right direction! <3

Taats picture Taats on 24 Feb 2020

I confirmed with the B2C team. This is a bug

mahoekst picture mahoekst on 27 Feb 2020

@mahoekst, did you happen to open a ticket there at the b2c team where I/we can track this bug or shall i open one?

Taats picture Taats on 2 Mar 2020

I asked the team and they created an issue in their own system. If you need a fix quickly you should definitely open a ticket. Tell them the engineers filed the issues as #940448 in their system

mahoekst picture mahoekst on 2 Mar 2020

I have the same problem, but for me the auth_time does not differ in these 2. Could it be a oidc-client-js problem?

EliodorPopov picture EliodorPopov on 21 Apr 2020

The B2C team has fixed the issue.

HarmanDhunna picture HarmanDhunna on 2 Oct 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mode777 picture mode777  路  3Comments
dotli picture dotli  路  3Comments
pawepaw picture pawepaw  路  3Comments
pottabathini picture pottabathini  路  5Comments
saeed-badar picture saeed-badar  路  4Comments