Re: [keycloak-user] Is it possible to disable not-before-policy token? Oidc client is crashing because it's there

Can't remember if this was converted to a protocol mapper or not, if it is then you should be able to just remove the protocol mapper. If it's not open a feature request and better yet a pr.

On Mon, 27 May 2019, 13:45 Bruno Medeiros, <brunojcm(a)gmail.com&gt; wrote: > Hi, everyone. > > First off, I've been using Keycloak in production for quite a while now, it > is working great, thanks everyone involved! > > I'm trying to add a new Oidc client now which is a third-party cloud > service, and they are struggling to handle CODE_TO_TOKEN Keycload response. > The error that shows up to the user is: > > Invalid response: [InoOicClient\Entity\Exception\InvalidMethodException] > Invalid method InoOicClient\Oic\Token\Response::setNot-before-policy() > > After a few emails with their support team, they said: > > "*... The error is related to the “not-before-policy” parameter that is > included in the response which is not part of the OIDC protocol but a > Keycloak specific extension. This parameter gets its value from: Clients -> > {client name} -> Revocation* > *We set this option to none hoping that it will not be included in the > response, however what I got was [‘not-before-policy’] => 0. So we couldn’t > find a way to remove this parameter from the response. You need to contact > Keycloak and ask them if there is any way to remove this parameter from the > response, since it is not part of the OIDC protocol.*" > > > Well, yes, it's a Keycloak-specific extension, but they shouldn't be > crashing because it's there, AFAIK they should be just ignoring this in the > token and proceeding with the login process. > > Based on our experience so far, we are going to have a hard time > "convincing" them about that, though, so I was wondering if Keycloak allows > us to disable the not-before-policy to a specific client, or even in the > realm at all? > > If not, any pieces of advice on how to support the fact that they should > not be crashing on the client side? I'm afraid I don't now Oidc/Oauth2 > specs broadly enough so far to be sure about that and sustain my opinion. > > Cheers, > > -- > BrunoJCM > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user