We have a keycloak set up where the Access Token Lifespan is set to 5
minutes. We get the access token using the following command :
curl -d "client_id=admin-cli" -d "username=admin_user" -d
"password=admin_user" -d "grant_type=password" "
Now we use the following command to get the user details
curl -H "Authorization: bearer "access token value got earlier" "
The expectation is that the second command works till the token expiry
time which is 5 minutes and after 5 minutes the token not valid error
should be seen. But while running the tests multiple times, we are seeing
that sometimes the token is valid for more than 5 minutes by almost 500
From the RFC for JWT https://tools.ietf.org/html/rfc7519
4.1.4. "exp" (Expiration Time) Claim
The "exp" (expiration time) claim identifies the expiration time on or
after which the JWT MUST NOT be accepted for processing. The processing of
the "exp" claim requires that the current date/time MUST be before the
expiration date/time listed in the "exp" claim. Implementers MAY provide
for some small leeway, usually no more than a few minutes, to account for
clock skew. Its value MUST be a number containing a NumericDate value.
Use of this claim is OPTIONAL.
So is this delay intentional from the keycloak implementors ?