Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Entra(Azure) ID OIDC clock skew config item. #2055

Open
ch0wm3in opened this issue Nov 3, 2024 · 1 comment
Open

Entra(Azure) ID OIDC clock skew config item. #2055

ch0wm3in opened this issue Nov 3, 2024 · 1 comment
Assignees
@dopey
Labels
enhancement needs triage Waiting for discussion / prioritization by team

Comments

@ch0wm3in
Copy link

ch0wm3in commented Nov 3, 2024

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

As described in #339 it is still to this day impossible to configure Entra ID(Azure) OIDC where it actually works and signs in, without "disableIssuedAtCheck": true which seems to be an important security feature.

The clock skew seems to be something Microsoft does intentionally, paraphrasing from a microsoft related lib issue AzureAD/microsoft-authentication-library-for-js#512
The need of the clock skew is to avoid situations where the client clock and the token issuing service clock are not exactly in sync.

It seems there a mentions around the internet that you can disable the skew from within your Entra ID config but it seems to have been retracted since, and there is no official/public documentation on it.

Could this possibly be solved or made more secure? So instead of disabling the check alltogether, you could have a config item for OIDC where you can "loosen the skew check" to 5m or 10m when such issues arises from different providers not being 100% compliant.

Why is this needed?

I think it would be good to support Entra ID(Azure) so that the OIDC actually works as intended, and that you can make the "disableIssuedAtCheck": true less strict but not completely disable it.
@ch0wm3in ch0wm3in added enhancement needs triage Waiting for discussion / prioritization by team labels Nov 3, 2024
@dopey
Copy link
Contributor

dopey commented Nov 8, 2024

Hey @ch0wm3in 👋, thanks for opening the issue!

We triaged and there was general agreement from our team that this could be a useful feature to help address the behavior you're describing. However, it's a non trivial amount of changes - it would require additions to this repo, smallstep/linkedca, and smallstep/cli to fully incorporate the changes. We don't have the bandwidth to take it on at this time, but we'd be open to accepting such a contribution from the community, .

If there's more engagement from the community (in the form of likes and comments, or folks letting us know they're running into the same behavior) we will reconsider our roadmap prioritization.

cheers 🍻

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dopey dopey

Labels
enhancement needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dopey @ch0wm3in