[keycloak-dev] Time skew in client adapters

Marek Posolda mposolda at redhat.com
Thu Aug 20 10:23:05 EDT 2015


It's actually strange that different timezone is an issue? As from what 
I searched both Java implementation "System.currentTimeMillis()" and 
javascript implementation "new Date().getTime()" should be independent 
on timezone (it should be time since 1.1.1970 UTC). So looks like it's 
the bad time set either on the browser or server machine?

+1 to add the timeSkew to the javascript adapter as these are end user 
machines. But not sure if we need to add the support for server adapters 
. Maybe rather document that correct time should be set on the server 
machines. This is also required for TOTP working correctly.

Marek

On 20/08/15 13:28, Stian Thorgersen wrote:
> We recently had someone that had issues with the javascript adapter not refreshing tokens. The reason for this was that the browser and Keycloak server was in different time zones, so exp was not checked properly.
>
> I've now updated the javascript adapter to include a timeSkew property. This is calculated by:
>
>     timeSkew = (timeRequestStarted + timeRequestCompleted) / 2 - token.iat
>
> The assumption is that if the request and response takes roughly as long the tokens iat value will be set in the middle of request start and request stop.
>
> This will work both for cases where the browser time is not correct as well as when the browser is in a different time-zone.
>
> Big question is, should we do the same for all adapters? For server-side adapters we can be more assured that the time is in sync (not sure if we mention in the documentation that it's important to keep times in sync), but we still have the issue if the servers are in different time zones.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list