Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

Having a JWT Authorization Grant identity provider configured to create a generic trust relationship with an EntraId tenant:

And an OpenID Connect Client:

Every attempt to get a token from keycloak results in "Token was issued too far in the past to be used now" error

Version

26.5.3

Regression

• The issue is a regression

Expected behavior

A valid token from keycloak

Actual behavior

Always receiving "Token was issued too far in the past to be used now" error

How to Reproduce?

1. Configure IdP and client as depicted in the bug description.
2. Request a token from Entra Id for an App Registration (Service Principal) using:

• POST https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token endpoint with grant_type = client_credentials

3. Request a keycloak token using as depicted in the bug description

Anything else?

EntraID issues the token with an iat 5 minutes before the actual request of the token, this results in a already 5 minutes old token right after the token is issued, also setting "Max allowed assertion expiration" and/or "Allowed clock skew" to more than 5 minutes results in the same error.
Keycloak is deployed on containerized App Services in Azure, server clock is in UTC and synchronized, time synchronization issue should be very unlikely.