Problems with signin in the updated sample

[SteenMolberg]

I have tested out the updated sample (B2C-WebApp-OpenIDConnect-NodeJS) now, but have a lot of problems with the login. I keep getting this error:
"authentication failed due to: In _validateResponse: jwt is not active"

Can you help me out resolving what is going up?

Following the log it seems like the flow is working OK. I can enter the username and password and redirected back to the app. Following the log and the decoded token the corrected user seem to be returned, but still I get the error above,

The signup seems to work OK, but when return to the application I get the same error. Still in the decoded token log I can see the new user is returned.

I'm using the default session store for my testing of the sample.

Hope you can help me out. Thanks.

[lovemaths]

"jwt is not active" means the id_token received from AAD is not valid util some time in the future. Seems either we get a bad id_token from AAD or there is a difference between the two clocks, I will see if I can reproduce and let you know. Thanks.

[SteenMolberg]

Thxs @lovemaths
let me know if you need any info from me.

Hmm... you say "not valid util some time in the future"... could this be a timezone issue? I'm at UTC+1

[lovemaths]

@SteenMolberg I am not sure what the issue is. I cannot reproduce the issue, the sample works fine for me. In lib/jsonWebToken.js, can you replace line 192:

      return done(new Error('jwt is not active'));

with

      return done(new Error(`jwt is not active, nbf: ${payload.nbf}, now: ${Date.now()}`));

This can tell me how much they differ when the error occurs next time (note ' is changed to ` in the error message). Also, please let me know what responseType you are using. Thanks.

[SteenMolberg]

@lovemaths
So after I made the small codeschange you requested I tested this again last night. To my surprise everything ran as expected. I logged in, cretaed a new user, logged out, changed profile. Several times. No errors. Strange.
This I repeated my testing this morning and logged in and out with diffenrent users. Everything seemed fine. But then I went to Reset password and canceled that again. Then I wanted to login again but it failed.

Now I have tested a LOT, and with very confusing results. The error seem to occur often when I log out and try to log back in with a different user. When the error occurs it's like I'm stuck. When trying to sign in I don't get to select the user but is tries to sign in with the last user. I suspect that the session is not cleared sometimes. I think I will try tessing with the MongoDB session handler to see if that makes a difference.

Here are some sample logs from the error after making the change you asked for:
{"name":"AzureAD: OIDC Passport Strategy","hostname":"STEEN_X1","pid":14964,"level":30,"msg":"authentication failed due to: In _validateResponse: jwt is not active, nbf: 1477544519, now: 1477544518785","time":"2016-10-27T05:01:58.785Z","v":0}

{"name":"AzureAD: OIDC Passport Strategy","hostname":"STEEN_X1","pid":3928,"level":30,"msg":"authentication failed due to: In _validateResponse: jwt is not active, nbf: 1477548228, now: 1477548227163","time":"2016-10-27T06:03:47.163Z","v":0}

I did not change the sample except the basic settings, so the responseType ín the config is "code id_token" I'm not sure at this point, how that maps to the settings in B2C.

[lovemaths]

@SteenMolberg I figured it out based on your log. In id_token they round the nbf up, but passport round the time down. For example, nbf = 1477548228, now = 1477548227.163, so I should round the 'now' up to 1477548228. This problem can be fixed by changing the Math.floor in lib/jsonWebToken.js line 191 to Math.ceil. I will create a PR and include it in the next release. Thanks!

[SteenMolberg]

hi @lovemaths

I had to add 1 sec to make it work consistantly...

    var calcnow = Math.ceil(Date.now()/1000) + 1;

    if (payload.nbf > calcnow)
      //return done(new Error('jwt is not active'));
      return done(new Error(`jwt is not active, nbf: ${payload.nbf}, now: ${calcnow}`));

If I just changed flow to ceil I got problems when I tried something like reset password and cancel or signin and cancel.

[lovemaths]

@SteenMolberg Thank you for the feedback!

[lovemaths]

@SteenMolberg Added your fix to the new release 3.0.1, which is published today. Thanks!

[cadesalaberry]

For some reasons, I seem to have the same problem. Adding your line, I get the following:

{
  "name":"AzureAD: OIDC Passport Strategy",
  "hostname":"961179c14c60","pid":6,"level":30,
  "msg":"authentication failed due to: In _validateResponse: jwt is not active, nbf: 1511899838, now: 1511899537734",
  "time":"2017-11-28T20:05:37.735Z","v":0
}

Which results in a diff of precisely 301. Is it normal for it to be exactly one above the default clockSkew ?

@SteenMolberg @lovemaths

[tiagogaf]

I recently had the same problem. And to fix it I put the value 3600 in the clockSkew option. In Brazil, we have the "daylight saving" period where for a few months we need to advance our clocks by 1h, I believe it is related, because before that period everything was OK.