[keycloak-dev] Token's issuedAt value is the same as value of NotBeforePolicy
Stian Thorgersen
sthorger at redhat.com
Tue Apr 9 07:53:48 EDT 2019
Not before should be reject tokens before that time, so changing to the
following as suggested would be the correct behaviour:
this.token.getIssuedAt() >= deployment.getNotBefore
Further, all adapters should allow a configurable allowed time sync here.
We should introduce a new property allowedTimeSkew with default set to 1
second. The above would then be changed to:
this.token.getIssuedAt() >= deployment.getNotBefore() -
deployment.getAllowedTimeSkew()
On Tue, 9 Apr 2019 at 13:50, Marek Posolda <mposolda at redhat.com> wrote:
> My vote is to go with (2). It may turn to be more work as it needs to
> check all the adapters (node.js, maybe also gatekeeper etc).
>
> But strictly said, if not-before is set for example to 10:0000, then my
> understanding of not-before semantics is to check that: token is valid
> if it was issued not before 10:00:00 .
> Which translates to: token is valid if it was wasn't issued before
> 10:00:00 .
>
> In other words, if not-before is 10:00:00 then token issued at 9:59:59
> shouldn't be valid, but token issued at 10:00:00 should be valid IMO.
>
> Marek
>
> On 09/04/2019 09:21, Michal Hajas wrote:
> > Hi,
> >
> > I found out that when you do logout-all (in this step realm.notBefore
> value
> > is set) and subsequent login very quickly it may happen that Keycloak
> > returns tokens with an issuedAt value which is the same as the value of
> the
> > NotBeforePolicy.
> >
> > Such tokens are considered invalid in adapter due to this check [1].
> >
> > My question is, should we prevent such state? If yes what is correct
> > behavior?
> >
> > 1. Do not generate tokens with the same issuedAt value as NotBefore
> policy.
> > For example, in TokenManager [2] check NotBefore value and change
> > issuedAt for all tokens to (NotBefore + 1) in case they are same.
> >
> > or
> >
> > 2. Change condition [2]:
> > .... && this.token.getIssuedAt() > deployment.getNotBefore();
> > to:
> > .... && this.token.getIssuedAt() >= deployment.getNotBefore();
> >
> > The later will probably require to also check other non-java adapters
> > whether such check is present or not.
> >
> > Best regards,
> > Michal
> >
> > [1]
> >
> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java#L79
> >
> > [2]
> >
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L796
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list