[keycloak-dev] Token Verifier behaviour change since 4.4.0.Final

Wed Dec 19 14:36:33 EST 2018

Hello everyone!

I recently discovered undocumented behaviour change of Token Verification provider (ex RSATokenVerifier) starting from Keycloak ver. 4.4.0.Final caused by https://issues.jboss.org/browse/KEYCLOAK-7560. In short, TokenVerifier now by default does not perform check of token expiration. This causes, for example, successful responses for Userinfo requests even if token is being expired.
Because this change was not documented I consider it as a bug and would like to create an issue. 

Any thoughts on this point? 

Sincerely,
Arseny.