SilentRenew, auth_time in id_token does not match original auth_time

[Taats]

The title says it all, when i do a silent renew the call completes and the error i get is that "auth_time in id_token does not match original auth_time".

I'm using Azure B2C and this is how my UserManager is being set up:

private createUserManagerSettingsData(authority: string, profile: string): UserManagerSettings {
        return {
            authority: "https://localhost:5001/api/oidc/B2C_1_signupsignin1",
            client_id: this.data.client_id,
            redirect_uri: "https://localhost:5001/oidc-signin",
            response_type: "code",
            scope: "openid offline_access",
            post_logout_redirect_uri: "https://localhost:5001/oidc-signout",
            filterProtocolClaims: true,
            loadUserInfo: false,
            userStore: new WebStorageStateStore({ store: window.localStorage }),
            automaticSilentRenew: true,
            includeIdTokenInSilentRenew: true,
            silent_redirect_uri: "http://localhost:5001/assets/silent-callback.html",
            accessTokenExpiringNotificationTime: 60 * 4,
        };
    }

When silent renew kicks in the following error occurs:
UserManager._validateIdTokenFromTokenRefreshToken: auth_time in id_token does not match original auth_time

If anyone can point me in the right direction then that would be great since im struggling with this for a few days now.

[brockallen]

https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse

[Taats]

Yeah i've read that. I do get an id_token back in the response from B2C which i then pass on to oidc-client (untouched b2c response is returned). This id_token is causing the problem.

When i manually remove this id_token from the reponse all goes well but the token in the oidc-client is not refreshed then (it only seems to be using a new refresh_token). So, in turn the token expires and i need to log in again.

What i dont understand is how these two auth times can differ. I do request the same scopes and when i try to refresh with no scope it still generates the same error.

[brockallen]

What i dont understand is how these two auth times can differ.

I don't know either. My guess? AB2C didn't follow the spec when they wrote their code.

[Taats]

Well i doubt that is the case considering b2c is out for quite a while now. Most likely it is not a problem with oidc-client either but a "simple" configuration setting - i just can't seem to find it.

Do you have any guess on how my configuration could be wrong on the silent refresh?

[brockallen]

Well i doubt that is the case considering b2c is out for quite a while now.

You put a lot of faith into them. I can tell you there are several other areas where they don't follow the spec.

Do you have any guess on how my configuration could be wrong on the silent refresh?

No idea. Check their portal for token lifetime settings.

[Taats]

I guess I did put a lot of faith in them, to bad they didnt came through.

I've replaced the oidc-client with angular-auth-oidc-client (from Damienbod) and in there the silent-refresh does not yield errors. When i then inspect the token i received from Azure i can see the timestamps are different but appearently this library doesnt seem to care.

Thank you for pointing me in the right direction! <3

[mahoekst]

I confirmed with the B2C team. This is a bug

[Taats]

@mahoekst, did you happen to open a ticket there at the b2c team where I/we can track this bug or shall i open one?

[mahoekst]

I asked the team and they created an issue in their own system. If you need a fix quickly you should definitely open a ticket. Tell them the engineers filed the issues as #940448 in their system

[EliodorPopov]

I have the same problem, but for me the auth_time does not differ in these 2. Could it be a oidc-client-js problem?

[HarmanDhunna]

The B2C team has fixed the issue.

[maximsan]

Hello @brockallen. We get the same error but with IdentityServer3. We've checked auth_time in original token and in id_token that's returned by Identity Server when we do token refreshment and they match every time, but we still have the error UserManager._validateIdTokenFromTokenRefreshToken: auth_time in id_token does not match original auth_time. Any ideas what can be the reason ? Thank you in advance.