[keycloak-dev] Time skew in client adapters
Stian Thorgersen
stian at redhat.com
Thu Aug 20 10:24:32 EDT 2015
----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>, "keycloak-dev" <keycloak-dev at lists.jboss.org>
> Sent: Thursday, 20 August, 2015 4:23:05 PM
> Subject: Re: [keycloak-dev] Time skew in client adapters
>
> It's actually strange that different timezone is an issue? As from what
> I searched both Java implementation "System.currentTimeMillis()" and
> javascript implementation "new Date().getTime()" should be independent
> on timezone (it should be time since 1.1.1970 UTC). So looks like it's
> the bad time set either on the browser or server machine?
Great, so problem is solved :)
>
> +1 to add the timeSkew to the javascript adapter as these are end user
> machines. But not sure if we need to add the support for server adapters
> . Maybe rather document that correct time should be set on the server
> machines. This is also required for TOTP working correctly.
>
> Marek
>
> On 20/08/15 13:28, Stian Thorgersen wrote:
> > We recently had someone that had issues with the javascript adapter not
> > refreshing tokens. The reason for this was that the browser and Keycloak
> > server was in different time zones, so exp was not checked properly.
> >
> > I've now updated the javascript adapter to include a timeSkew property.
> > This is calculated by:
> >
> > timeSkew = (timeRequestStarted + timeRequestCompleted) / 2 - token.iat
> >
> > The assumption is that if the request and response takes roughly as long
> > the tokens iat value will be set in the middle of request start and
> > request stop.
> >
> > This will work both for cases where the browser time is not correct as well
> > as when the browser is in a different time-zone.
> >
> > Big question is, should we do the same for all adapters? For server-side
> > adapters we can be more assured that the time is in sync (not sure if we
> > mention in the documentation that it's important to keep times in sync),
> > but we still have the issue if the servers are in different time zones.
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
More information about the keycloak-dev
mailing list