[keycloak-user] OpenId Identity Broker exception - keycloak 1.6.1
Bill Burke
bburke at redhat.com
Wed Nov 25 08:46:25 EST 2015
exp is supposed to be seconds since epoch, not milliseconds. Looks like
a bug in openAM.
See section 2. NumericDate:
https://tools.ietf.org/html/rfc7519
On 11/25/2015 7:46 AM, Steve Favez wrote:
> Hi all,
>
> I'm trying to use keycloak as identity broker in front of openAm 12,
> using openId Connect 1.0.
> After authenticating against openAM, (so, redirection is ok), I get the
> following error in keycloak when validating the token :
> Caused by: org.codehaus.jackson.JsonParseException: Numeric value
> (1448455006000
> ) out of range of int
> ......
> at org.keycloak.jose.jws.JWSInput.readJsonContent(JWSInput.java:84)
> at org.keycloak.broker.oidc.OIDCIdentityProvider.validateToken(OIDCIdent
> ityProvider.java:290)
>
> Here's the returned jwt :
> eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiLCAiY3R5IjogIkpXVCIsICJraWQiOiAiNGJkYmQ0NzYtNmE1ZS00ZTZkLTk3MzEtNGEyNmNjZmQ2NGE5IiB9.eyAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF6cCI6ICJpbXBsaWNpdGNsaWVudCIsICJzdWIiOiAiYW1hZG1pbiIsICJhdF9oYXNoIjogIkFqTDJGSHpQTXlKWGJoODBrY2UwQ1EiLCAiaXNzIjogImh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9vcGVuYW0iLCAiaWF0IjogMTQ0ODQ1NDQwNiwgImF1dGhfdGltZSI6IDE0NDg0NTQ0MDYsICJleHAiOiAxNDQ4NDU1MDA2MDAwLCAidG9rZW5UeXBlIjogIkpXVFRva2VuIiwgInJlYWxtIjogIi8iLCAiYXVkIjogWyAiaW1wbGljaXRjbGllbnQiIF0sICJjX2hhc2giOiAia0x1ajJfdEJMdVllZVRaWXpETFl4ZyIsICJvcHMiOiAiYTQ5ZWE5OTAtYTFiMS00MGViLWI5ZDMtYTI2YmNiMDE0OGEwIiB9.oiPF0jQP7YRfPeHWV3szNrQ1TYdDieAav0_j2dGXM0iOoMCg4Mk_2tSANQRLRct6Lr_erSFqxFE6Wo6Jvd8aaVWzX6CyS_jD4jYgXywZE5XvkUWuebw8jaODSJddlqelMnEN1bWA1U6i5uaxFDT-occhcM6J5Xpf3j7oGZ1s1i0
>
> -> {
> tokenName: "id_token",
> azp: "implicitclient",
> sub: "amadmin",
> at_hash: "AjL2FHzPMyJXbh80kce0CQ",
> iss: "http://localhost:8080/openam",
> iat: 1448454406,
> auth_time: 1448454406,
> exp: 1448455006000,
> tokenType: "JWTToken",
> realm: "/",
> aud: [
> "implicitclient"
> ],
> c_hash: "kLuj2_tBLuYeeTZYzDLYxg",
> ops: "a49ea990-a1b1-40eb-b9d3-a26bcb0148a0"
> }.
>
> So far, as we can see using a jwt decoder ( http://calebb.net/ ) the
> "out of range int" is the exp (expiration date)
>
> As I can see in class "JsonWebToken", expiration is an int... Isn't it
> supposed to be a long ?
>
> (same for iat and auth_time)
> Thanks in advance for your help
>
> Regards
> Steve
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list