6:30 a.m.
Hi, everyone.
First off, I've been using Keycloak in production for quite a while now, it
is working great, thanks everyone involved!
I'm trying to add a new Oidc client now which is a third-party cloud
service, and they are struggling to handle CODE_TO_TOKEN Keycload response.
The error that shows up to the user is:
Invalid response: [InoOicClient\Entity\Exception\InvalidMethodException]
Invalid method InoOicClient\Oic\Token\Response::setNot-before-policy()
After a few emails with their support team, they said:
"*... The error is related to the “not-before-policy” parameter that is
included in the response which is not part of the OIDC protocol but a
Keycloak specific extension. This parameter gets its value from: Clients ->
{client name} -> Revocation*
*We set this option to none hoping that it will not be included in the
response, however what I got was [‘not-before-policy’] => 0. So we couldn’t
find a way to remove this parameter from the response. You need to contact
Keycloak and ask them if there is any way to remove this parameter from the
response, since it is not part of the OIDC protocol.*"
Well, yes, it's a Keycloak-specific extension, but they shouldn't be
crashing because it's there, AFAIK they should be just ignoring this in the
token and proceeding with the login process.
Based on our experience so far, we are going to have a hard time
"convincing" them about that, though, so I was wondering if Keycloak allows
us to disable the not-before-policy to a specific client, or even in the
realm at all?
If not, any pieces of advice on how to support the fact that they should
not be crashing on the client side? I'm afraid I don't now Oidc/Oauth2
specs broadly enough so far to be sure about that and sustain my opinion.
Cheers,
--
BrunoJCM
noon
Can't remember if this was converted to a protocol mapper or not, if it is
then you should be able to just remove the protocol mapper. If it's not
open a feature request and better yet a pr.
On Mon, 27 May 2019, 13:45 Bruno Medeiros, <brunojcm(a)gmail.com> wrote:
Hi, everyone.
First off, I've been using Keycloak in production for quite a while now, it
is working great, thanks everyone involved!
I'm trying to add a new Oidc client now which is a third-party cloud
service, and they are struggling to handle CODE_TO_TOKEN Keycload response.
The error that shows up to the user is:
Invalid response: [InoOicClient\Entity\Exception\InvalidMethodException]
Invalid method InoOicClient\Oic\Token\Response::setNot-before-policy()
After a few emails with their support team, they said:
"*... The error is related to the “not-before-policy” parameter that is
included in the response which is not part of the OIDC protocol but a
Keycloak specific extension. This parameter gets its value from: Clients ->
{client name} -> Revocation*
*We set this option to none hoping that it will not be included in the
response, however what I got was [‘not-before-policy’] => 0. So we couldn’t
find a way to remove this parameter from the response. You need to contact
Keycloak and ask them if there is any way to remove this parameter from the
response, since it is not part of the OIDC protocol.*"
Well, yes, it's a Keycloak-specific extension, but they shouldn't be
crashing because it's there, AFAIK they should be just ignoring this in the
token and proceeding with the login process.
Based on our experience so far, we are going to have a hard time
"convincing" them about that, though, so I was wondering if Keycloak allows
us to disable the not-before-policy to a specific client, or even in the
realm at all?
If not, any pieces of advice on how to support the fact that they should
not be crashing on the client side? I'm afraid I don't now Oidc/Oauth2
specs broadly enough so far to be sure about that and sustain my opinion.
Cheers,
--
BrunoJCM
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:09 p.m.
On Mon, 2019-05-27 at 19:00 +0200, Stian Thorgersen wrote:
Can't remember if this was converted to a protocol mapper or not,
if it is
then you should be able to just remove the protocol mapper. If it's not
open a feature request and better yet a pr.
The problematic "not-before-policy" is not a claim, it's a part of token
response, and it is hardcoded as a @JsonProperty. But the client library is indeed buggy
(and unmaintained for 5 years), see my reply to OP for details.
Dmitry
On Mon, 27 May 2019, 13:45 Bruno Medeiros, <brunojcm(a)gmail.com> wrote:
> Hi, everyone.
>
> First off, I've been using Keycloak in production for quite a while now, it
> is working great, thanks everyone involved!
>
> I'm trying to add a new Oidc client now which is a third-party cloud
> service, and they are struggling to handle CODE_TO_TOKEN Keycload response.
> The error that shows up to the user is:
>
> Invalid response: [InoOicClient\Entity\Exception\InvalidMethodException]
> Invalid method InoOicClient\Oic\Token\Response::setNot-before-policy()
>
> After a few emails with their support team, they said:
>
> "*... The error is related to the “not-before-policy” parameter that is
> included in the response which is not part of the OIDC protocol but a
> Keycloak specific extension. This parameter gets its value from: Clients ->
> {client name} -> Revocation*
> *We set this option to none hoping that it will not be included in the
> response, however what I got was [‘not-before-policy’] => 0. So we couldn’t
> find a way to remove this parameter from the response. You need to contact
> Keycloak and ask them if there is any way to remove this parameter from the
> response, since it is not part of the OIDC protocol.*"
>
>
> Well, yes, it's a Keycloak-specific extension, but they shouldn't be
> crashing because it's there, AFAIK they should be just ignoring this in the
> token and proceeding with the login process.
>
> Based on our experience so far, we are going to have a hard time
> "convincing" them about that, though, so I was wondering if Keycloak
allows
> us to disable the not-before-policy to a specific client, or even in the
> realm at all?
>
> If not, any pieces of advice on how to support the fact that they should
> not be crashing on the client side? I'm afraid I don't now Oidc/Oauth2
> specs broadly enough so far to be sure about that and sustain my opinion.
>
> Cheers,
>
> --
> BrunoJCM
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:07 p.m.
Hi Bruno,
The "not-before-policy" property cannot be disabled in Keycloak since it is
hardcoded. And it is not the only problematic field, it's just alphabetically first,
there are also non-standard "refresh_expires_in" and "session_state"
that will also break your client.
The bug is recognized by the author of the client library [2]. This is indeed a bug since
the spec clearly says:
The client MUST ignore unrecognized value names in the response. [3]
Hope that helps you to defend your position. Meanwhile, there are at least two workarounds
(however hackish):
- remove the problematic fields from org.keycloak.representations.AccessTokenResponse and
dependent classes and recompile Keycloak - this will solve the problem, but will obviously
lead to maintenance hell;
- set up content filter in your reverse proxy to remove the fields from the token
response. This will work since token response is not signed (opposite to tokens
themselves).
[1]
https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/k...
[2] https://github.com/ivan-novakov/php-openid-connect-client/issues/14
[3] https://tools.ietf.org/html/rfc6749#section-5.1
Good luck,
Dmitry Telegin
Carretti Consulting OÜ | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info(a)carretti.pro
On Mon, 2019-05-27 at 19:30 +0800, Bruno Medeiros wrote:
Hi, everyone.
First off, I've been using Keycloak in production for quite a while now, it
is working great, thanks everyone involved!
I'm trying to add a new Oidc client now which is a third-party cloud
service, and they are struggling to handle CODE_TO_TOKEN Keycload response.
The error that shows up to the user is:
Invalid response: [InoOicClient\Entity\Exception\InvalidMethodException]
Invalid method InoOicClient\Oic\Token\Response::setNot-before-policy()
After a few emails with their support team, they said:
"*... The error is related to the “not-before-policy” parameter that is
included in the response which is not part of the OIDC protocol but a
Keycloak specific extension. This parameter gets its value from: Clients ->
{client name} -> Revocation*
*We set this option to none hoping that it will not be included in the
response, however what I got was [‘not-before-policy’] => 0. So we couldn’t
find a way to remove this parameter from the response. You need to contact
Keycloak and ask them if there is any way to remove this parameter from the
response, since it is not part of the OIDC protocol.*"
Well, yes, it's a Keycloak-specific extension, but they shouldn't be
crashing because it's there, AFAIK they should be just ignoring this in the
token and proceeding with the login process.
Based on our experience so far, we are going to have a hard time
"convincing" them about that, though, so I was wondering if Keycloak allows
us to disable the not-before-policy to a specific client, or even in the
realm at all?
If not, any pieces of advice on how to support the fact that they should
not be crashing on the client side? I'm afraid I don't now Oidc/Oauth2
specs broadly enough so far to be sure about that and sustain my opinion.
Cheers,
2:48 a.m.
Thanks for the answer, Dmitry, you nailed it!!
It seems that I managed to make my point and they are going to fix Oidc
support. I also managed to setup SAML integration as a plan B in case they
don't fix it in time.
Cheers,
2418
days inactive
2420
days old
4 comments
3 participants
participants (3)
-
Bruno Medeiros -
Dmitry Telegin -
Stian Thorgersen