[keycloak-dev] access token valid for more than expiry time by milli seconds
Rahul R
1rahulr at gmail.com
Tue Nov 14 05:13:15 EST 2017
>
> Hi,
> We have a keycloak set up where the Access Token Lifespan is set to 5
> minutes. We get the access token using the following command :
> curl -d "client_id=admin-cli" -d "username=admin_user" -d
> "password=admin_user" -d "grant_type=password" "
> http://192.168.56.101:8080/auth/realms/REALM/protocol/openid-connect/token
> "
>
> Now we use the following command to get the user details
> curl -H "Authorization: bearer "access token value got earlier" "
> http://192.168.56.101:8080/auth/realms/REALM/protocol/openi
> d-connect/userinfo"
>
> The expectation is that the second command works till the token expiry
> time which is 5 minutes and after 5 minutes the token not valid error
> should be seen. But while running the tests multiple times, we are seeing
> that sometimes the token is valid for more than 5 minutes by almost 500
> milliseconds.
>
> From the RFC for JWT https://tools.ietf.org/html/rfc7519
>
> 4.1.4. "exp" (Expiration Time) Claim
>
> The "exp" (expiration time) claim identifies the expiration time on or
> after which the JWT MUST NOT be accepted for processing. The processing of
> the "exp" claim requires that the current date/time MUST be before the
> expiration date/time listed in the "exp" claim. Implementers MAY provide
> for some small leeway, usually no more than a few minutes, to account for
> clock skew. Its value MUST be a number containing a NumericDate value.
> Use of this claim is OPTIONAL.
>
> So is this delay intentional from the keycloak implementors ?
>
> Thanks
> Rahul
>
More information about the keycloak-dev
mailing list