It's actually strange that different timezone is an issue? As from what
I searched both Java implementation "System.currentTimeMillis()" and
javascript implementation "new Date().getTime()" should be independent
on timezone (it should be time since 1.1.1970 UTC). So looks like it's
the bad time set either on the browser or server machine?
+1 to add the timeSkew to the javascript adapter as these are end user
machines. But not sure if we need to add the support for server adapters
. Maybe rather document that correct time should be set on the server
machines. This is also required for TOTP working correctly.
Marek
On 20/08/15 13:28, Stian Thorgersen wrote:
We recently had someone that had issues with the javascript adapter
not refreshing tokens. The reason for this was that the browser and Keycloak server was in
different time zones, so exp was not checked properly.
I've now updated the javascript adapter to include a timeSkew property. This is
calculated by:
timeSkew = (timeRequestStarted + timeRequestCompleted) / 2 - token.iat
The assumption is that if the request and response takes roughly as long the tokens iat
value will be set in the middle of request start and request stop.
This will work both for cases where the browser time is not correct as well as when the
browser is in a different time-zone.
Big question is, should we do the same for all adapters? For server-side adapters we can
be more assured that the time is in sync (not sure if we mention in the documentation that
it's important to keep times in sync), but we still have the issue if the servers are
in different time zones.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev