Re: [keycloak-dev] Token's issuedAt value is the same as value of NotBeforePolicy

My vote is to go with (2). It may turn to be more work as it needs to check all the adapters (node.js, maybe also gatekeeper etc). But strictly said, if not-before is set for example to 10:0000, then my understanding of not-before semantics is to check that: token is valid if it was issued not before 10:00:00 . Which translates to: token is valid if it was wasn't issued before 10:00:00 .

In other words, if not-before is 10:00:00 then token issued at 9:59:59 shouldn't be valid, but token issued at 10:00:00 should be valid IMO. Marek On 09/04/2019 09:21, Michal Hajas wrote: > Hi, > > I found out that when you do logout-all (in this step realm.notBefore > value > is set) and subsequent login very quickly it may happen that Keycloak > returns tokens with an issuedAt value which is the same as the value > of the > NotBeforePolicy. > > Such tokens are considered invalid in adapter due to this check [1]. > > My question is, should we prevent such state? If yes what is correct > behavior? > > 1. Do not generate tokens with the same issuedAt value as NotBefore > policy. > For example, in TokenManager [2] check NotBefore value and change > issuedAt for all tokens to (NotBefore + 1) in case they are same. > > or > > 2. Change condition [2]: > .... && this.token.getIssuedAt() > deployment.getNotBefore(); > to: > .... && this.token.getIssuedAt() >= deployment.getNotBefore(); > > The later will probably require to also check other non-java adapters > whether such check is present or not. > > Best regards, > Michal > > [1] > https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-co... > > > [2] > https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o... > > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev