[keycloak-dev] Time skew in client adapters

Stian Thorgersen stian at redhat.com
Thu Aug 20 07:28:00 EDT 2015


We recently had someone that had issues with the javascript adapter not refreshing tokens. The reason for this was that the browser and Keycloak server was in different time zones, so exp was not checked properly.

I've now updated the javascript adapter to include a timeSkew property. This is calculated by:

   timeSkew = (timeRequestStarted + timeRequestCompleted) / 2 - token.iat

The assumption is that if the request and response takes roughly as long the tokens iat value will be set in the middle of request start and request stop.

This will work both for cases where the browser time is not correct as well as when the browser is in a different time-zone.

Big question is, should we do the same for all adapters? For server-side adapters we can be more assured that the time is in sync (not sure if we mention in the documentation that it's important to keep times in sync), but we still have the issue if the servers are in different time zones.


More information about the keycloak-dev mailing list