[keycloak-user] Client Adapter and Clock Skew

Mandera, Thomas [US] (TS) Tom.Mandera at ngc.com
Wed Oct 3 20:39:52 EDT 2018 

I am using the Keycloak client adapter (Tomcat Valve) with Shibboleth as the IdP.

I have been encountering problems which I believe relate to clock-skew, which I'm unable to resolve externally (No amount of clock syncing between the IdP and the SP has been consistently good enough to avoid periodic problems, and I have limited ability to make further configuration changes).

Shibboleth sends the NOT-BEFORE time in the payload, and the Keycloak adapter dutifully honors that.
Occasionally the assertion arrives and the SP's clock is before the token is valid, and the user/token is rejected.

I believe this is in the order of several milliseconds, but even 1ms is enough for the Keycloak client to reject the assertion.

KEYCLOAK-4538<https://issues.jboss.org/browse/KEYCLOAK-4538> corrected this problem, but only for the JsonClient.


In 4.4.0,  org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil.hasExpired() makes the call to XMLTimeUtil.isValid.

There is an alternate hasExpired() that takes in "clockSkewInMillis" but I don't see anything that calls that routine.
(org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler makes the call to AssertionUtil.hasExpired())

Am I missing where/how to configure the allowable clockskew for the client?


If I'm not, then I propose adding the clockSkewInMillis as an attribute to the IDP configuration in keycloak-saml.xml by adding to the XSD (should the XSD version number increment from 1.9 to 2.0 along the way?), adding it to the IDP object that represents the IDP configuration, and then within AbstractSamlAuthenticationHandler, we can retrieve the clockSkewInMillis from the SamlDeployment deployment object, and make the appropriate call (or, as I think the latest revisions with 4.5.0 do, initialize the allowable skew to 0 and update it when necessary  - but I believe 4.5.0 still doesn't provide me with a method to SET the allowable clock skew)

Am I correct in my understanding that there is not currently a means to configure the allowable clock-skew-in-millis for the Tomcat (and others?) SAML client?

Thank you,

-Tom

More information about the keycloak-user mailing list