----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>, "keycloak-dev"
Sent: Thursday, 20 August, 2015 4:23:05 PM
Subject: Re: [keycloak-dev] Time skew in client adapters
It's actually strange that different timezone is an issue? As from what
I searched both Java implementation "System.currentTimeMillis()" and
on timezone (it should be time since 1.1.1970 UTC). So looks like it's
the bad time set either on the browser or server machine?
Great, so problem is solved :)
machines. But not sure if we need to add the support for server adapters
. Maybe rather document that correct time should be set on the server
machines. This is also required for TOTP working correctly.
On 20/08/15 13:28, Stian Thorgersen wrote:
> refreshing tokens. The reason for this was that the browser and Keycloak
> server was in different time zones, so exp was not checked properly.
> This is calculated by:
> timeSkew = (timeRequestStarted + timeRequestCompleted) / 2 - token.iat
> The assumption is that if the request and response takes roughly as long
> the tokens iat value will be set in the middle of request start and
> request stop.
> This will work both for cases where the browser time is not correct as well
> as when the browser is in a different time-zone.
> Big question is, should we do the same for all adapters? For server-side
> adapters we can be more assured that the time is in sync (not sure if we
> mention in the documentation that it's important to keep times in sync),
> but we still have the issue if the servers are in different time zones.
> keycloak-dev mailing list