[keycloak-user] access token valid for more than expiry time by milli seconds
Rahul R
1rahulr at gmail.com
Tue Nov 14 03:19:45 EST 2017
Hi,
From the RFC for JWT https://tools.ietf.org/html/rfc7519
4.1.4. "exp" (Expiration Time) Claim
The "exp" (expiration time) claim identifies the expiration time on or
after which the JWT MUST NOT be accepted for processing. The processing of
the "exp" claim requires that the current date/time MUST be before the
expiration date/time listed in the "exp" claim. Implementers MAY provide
for some small leeway, usually no more than a few minutes, to account for
clock skew. Its value MUST be a number containing a NumericDate value.
Use of this claim is OPTIONAL.
So is this delay intentional from the keycloak implementators or a bug to
be fixed ?
Thanks
Rahul
On Tue, Nov 14, 2017 at 10:40 AM, Rahul R <1rahulr at gmail.com> wrote:
> Hi,
> We have a keycloak set up where the Access Token Lifespan is set to 5
> minutes. Now we get the access token using the following command :
> curl -d "client_id=admin-cli" -d "username=admin_user" -d
> "password=admin_user" -d "grant_type=password" "
> http://192.168.56.101:8080/auth/realms/REALM/protocol/openid-connect/token
> "
>
> Now if we use the following command to get the user details
> curl -H "Authorization: bearer "access token value got earlier" "
> http://192.168.56.101:8080/auth/realms/REALM/protocol/openi
> d-connect/userinfo"
>
> The expectation is that the second command works till the token expiry
> time which is 5 minutes and after 5 minutes the token not valid error
> should be seen. But while running the tests multiple times, we are seeing
> that sometimes the token is valid for more than 5 minutes by almost 500
> milliseconds.
>
> Has anyone seen such a behaviour ? Is this is a keycloak bug or a
> behaviour only seen in my machine?
>
> Thanks
> Rahul
>
More information about the keycloak-user
mailing list