Hello,
I am trying to use JWT Authorization Grant to exchange an Entra ID JWT token for a KC issued token, both the Identity provider and the client are already configured but when I try to get the KC token I get the “Token was issued too far in the past to be used now” even for tokens issued less than a minute ago.
I noticed that Entra ID creates the token with iat claim 5 minutes before the actual date and time when the token was requested, even using the Allowed clock skew to 5 minutes or more results in the same error.
I am using /realms/{realm}/protocol/openid-connect/token endpoint to request the token along with the client credentials to authenticate and these parameters in the body:
- grant_type = urn:ietf:params:oauth:grant-type:jwt-bearer
- assertion = {entraid-jwt}
Is there any other configuration that I have missed?