[keycloak-user] Is it possible to disable not-before-policy token? Oidc client is crashing because it's there
Stian Thorgersen
sthorger at redhat.com
Mon May 27 13:00:29 EDT 2019
Can't remember if this was converted to a protocol mapper or not, if it is
then you should be able to just remove the protocol mapper. If it's not
open a feature request and better yet a pr.
On Mon, 27 May 2019, 13:45 Bruno Medeiros, <brunojcm at gmail.com> wrote:
> Hi, everyone.
>
> First off, I've been using Keycloak in production for quite a while now, it
> is working great, thanks everyone involved!
>
> I'm trying to add a new Oidc client now which is a third-party cloud
> service, and they are struggling to handle CODE_TO_TOKEN Keycload response.
> The error that shows up to the user is:
>
> Invalid response: [InoOicClient\Entity\Exception\InvalidMethodException]
> Invalid method InoOicClient\Oic\Token\Response::setNot-before-policy()
>
> After a few emails with their support team, they said:
>
> "*... The error is related to the “not-before-policy” parameter that is
> included in the response which is not part of the OIDC protocol but a
> Keycloak specific extension. This parameter gets its value from: Clients ->
> {client name} -> Revocation*
> *We set this option to none hoping that it will not be included in the
> response, however what I got was [‘not-before-policy’] => 0. So we couldn’t
> find a way to remove this parameter from the response. You need to contact
> Keycloak and ask them if there is any way to remove this parameter from the
> response, since it is not part of the OIDC protocol.*"
>
>
> Well, yes, it's a Keycloak-specific extension, but they shouldn't be
> crashing because it's there, AFAIK they should be just ignoring this in the
> token and proceeding with the login process.
>
> Based on our experience so far, we are going to have a hard time
> "convincing" them about that, though, so I was wondering if Keycloak allows
> us to disable the not-before-policy to a specific client, or even in the
> realm at all?
>
> If not, any pieces of advice on how to support the fact that they should
> not be crashing on the client side? I'm afraid I don't now Oidc/Oauth2
> specs broadly enough so far to be sure about that and sustain my opinion.
>
> Cheers,
>
> --
> BrunoJCM
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list