[keycloak-user] Is it possible to disable not-before-policy token? Oidc client is crashing because it's there

[Bruno Medeiros]

Hi, everyone.

First off, I've been using Keycloak in production for quite a while now, it
is working great, thanks everyone involved!

I'm trying to add a new Oidc client now which is a third-party cloud
service, and they are struggling to handle CODE_TO_TOKEN Keycload response.
The error that shows up to the user is:

Invalid response: [InoOicClient\Entity\Exception\InvalidMethodException]
Invalid method InoOicClient\Oic\Token\Response::setNot-before-policy()

After a few emails with their support team, they said:

"*... The error is related to the “not-before-policy” parameter that is
included in the response which is not part of the OIDC protocol but a
Keycloak specific extension. This parameter gets its value from: Clients ->
{client name} -> Revocation*
*We set this option to none hoping that it will not be included in the
response, however what I got was [‘not-before-policy’] => 0. So we couldn’t
find a way to remove this parameter from the response. You need to contact
Keycloak and ask them if there is any way to remove this parameter from the
response, since it is not part of the OIDC protocol.*"


Well, yes, it's a Keycloak-specific extension, but they shouldn't be
crashing because it's there, AFAIK they should be just ignoring this in the
token and proceeding with the login process.

Based on our experience so far, we are going to have a hard time
"convincing" them about that, though, so I was wondering if Keycloak allows
us to disable the not-before-policy to a specific client, or even in the
realm at all?

If not, any pieces of advice on how to support the fact that they should
not be crashing on the client side? I'm afraid I don't now Oidc/Oauth2
specs broadly enough so far to be sure about that and sustain my opinion.

Cheers,

-- 
BrunoJCM