8:16 a.m.
On 09/04/2019 13:53, Stian Thorgersen wrote:
Not before should be reject tokens before that time, so changing to
the following as suggested would be the correct behaviour:
this.token.getIssuedAt() >= deployment.getNotBefore
Further, all adapters should allow a configurable allowed time sync
here. We should introduce a new property allowedTimeSkew with default
set to 1 second. The above would then be changed to:
this.token.getIssuedAt() >= deployment.getNotBefore() -
deployment.getAllowedTimeSkew()
That's the question whether we need another configuration option? Can't
recall if someone asks for this? And we have lots of switches already :)
I see the point in having clock skew in keycloak.js, which is executed
on user's machines and there is quite high chance of having time
slightly out of sync. On the other hand, java adapter is mostly executed
on servers where apps are deployed and server administrators usually pay
attention to have time in sync to avoid various issues?
Marek
On Tue, 9 Apr 2019 at 13:50, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
My vote is to go with (2). It may turn to be more work as it needs to
check all the adapters (node.js, maybe also gatekeeper etc).
But strictly said, if not-before is set for example to 10:0000,
then my
understanding of not-before semantics is to check that: token is
valid
if it was issued not before 10:00:00 .
Which translates to: token is valid if it was wasn't issued before
10:00:00 .
In other words, if not-before is 10:00:00 then token issued at
9:59:59
shouldn't be valid, but token issued at 10:00:00 should be valid IMO.
Marek
On 09/04/2019 09:21, Michal Hajas wrote:
> Hi,
>
> I found out that when you do logout-all (in this step
realm.notBefore value
> is set) and subsequent login very quickly it may happen that
Keycloak
> returns tokens with an issuedAt value which is the same as the
value of the
> NotBeforePolicy.
>
> Such tokens are considered invalid in adapter due to this check [1].
>
> My question is, should we prevent such state? If yes what is correct
> behavior?
>
> 1. Do not generate tokens with the same issuedAt value as
NotBefore policy.
> For example, in TokenManager [2] check NotBefore value and change
> issuedAt for all tokens to (NotBefore + 1) in case they are same.
>
> or
>
> 2. Change condition [2]:
> .... && this.token.getIssuedAt() > deployment.getNotBefore();
> to:
> .... && this.token.getIssuedAt() >= deployment.getNotBefore();
>
> The later will probably require to also check other non-java
adapters
> whether such check is present or not.
>
> Best regards,
> Michal
>
> [1]
>
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-co...
>
> [2]
>
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev