Hi,
From the RFC for JWT
https://tools.ietf.org/html/rfc7519
4.1.4. "exp" (Expiration Time) Claim
The "exp" (expiration time) claim identifies the expiration time on or
after which the JWT MUST NOT be accepted for processing. The processing of
the "exp" claim requires that the current date/time MUST be before the
expiration date/time listed in the "exp" claim. Implementers MAY provide
for some small leeway, usually no more than a few minutes, to account for
clock skew. Its value MUST be a number containing a NumericDate value.
Use of this claim is OPTIONAL.
So is this delay intentional from the keycloak implementators or a bug to
be fixed ?
Thanks
Rahul
On Tue, Nov 14, 2017 at 10:40 AM, Rahul R <1rahulr(a)gmail.com> wrote:
Hi,
We have a keycloak set up where the Access Token Lifespan is set to 5
minutes. Now we get the access token using the following command :
curl -d "client_id=admin-cli" -d "username=admin_user" -d
"password=admin_user" -d "grant_type=password" "
http://192.168.56.101:8080/auth/realms/REALM/protocol/openid-connect/token
"
Now if we use the following command to get the user details
curl -H "Authorization: bearer "access token value got earlier" "
http://192.168.56.101:8080/auth/realms/REALM/protocol/openi
d-connect/userinfo"
The expectation is that the second command works till the token expiry
time which is 5 minutes and after 5 minutes the token not valid error
should be seen. But while running the tests multiple times, we are seeing
that sometimes the token is valid for more than 5 minutes by almost 500
milliseconds.
Has anyone seen such a behaviour ? Is this is a keycloak bug or a
behaviour only seen in my machine?
Thanks
Rahul