[keycloak-dev] Token's issuedAt value is the same as value of NotBeforePolicy

Michal Hajas mhajas at redhat.com
Tue Apr 9 03:21:10 EDT 2019


Hi,

I found out that when you do logout-all (in this step realm.notBefore value
is set) and subsequent login very quickly it may happen that Keycloak
returns tokens with an issuedAt value which is the same as the value of the
NotBeforePolicy.

Such tokens are considered invalid in adapter due to this check [1].

My question is, should we prevent such state? If yes what is correct
behavior?

1. Do not generate tokens with the same issuedAt value as NotBefore policy.
For example, in TokenManager [2] check NotBefore value and change
issuedAt for all tokens to (NotBefore + 1) in case they are same.

or

2. Change condition [2]:
.... && this.token.getIssuedAt() > deployment.getNotBefore();
to:
.... && this.token.getIssuedAt() >= deployment.getNotBefore();

The later will probably require to also check other non-java adapters
whether such check is present or not.

Best regards,
Michal

[1]
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java#L79

[2]
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L796


More information about the keycloak-dev mailing list