[keycloak-user] Is it possible to disable not-before-policy token? Oidc client is crashing because it's there

Dmitry Telegin demetrio at carretti.pro
Mon May 27 18:07:19 EDT 2019 

Hi Bruno,

The "not-before-policy" property cannot be disabled in Keycloak since it is hardcoded. And it is not the only problematic field, it's just alphabetically first, there are also non-standard "refresh_expires_in" and "session_state" that will also break  your client.

The bug is recognized by the author of the client library [2]. This is indeed a bug since the spec clearly says:

> The client MUST ignore unrecognized value names in the response. [3]

Hope that helps you to defend your position. Meanwhile, there are at least two workarounds (however hackish):
- remove the problematic fields from org.keycloak.representations.AccessTokenResponse and dependent classes and recompile Keycloak - this will solve the problem, but will obviously lead to maintenance hell;
- set up content filter in your reverse proxy to remove the fields from the token response. This will work since token response is not signed (opposite to tokens themselves).

[1] https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/keycloak/representations/AccessTokenResponse.java#L52
[2] https://github.com/ivan-novakov/php-openid-connect-client/issues/14
[3] https://tools.ietf.org/html/rfc6749#section-5.1

Good luck,
Dmitry Telegin

Carretti Consulting OÜ | Keycloak Consulting and Training
Sepapaja 6, Tallinn 15551, Estonia | info at carretti.pro

On Mon, 2019-05-27 at 19:30 +0800, Bruno Medeiros wrote:
> Hi, everyone.
> 
> First off, I've been using Keycloak in production for quite a while now, it
> is working great, thanks everyone involved!
> 
> I'm trying to add a new Oidc client now which is a third-party cloud
> service, and they are struggling to handle CODE_TO_TOKEN Keycload response.
> The error that shows up to the user is:
> 
> Invalid response: [InoOicClient\Entity\Exception\InvalidMethodException]
> Invalid method InoOicClient\Oic\Token\Response::setNot-before-policy()
> 
> After a few emails with their support team, they said:
> 
> "*... The error is related to the “not-before-policy” parameter that is
> included in the response which is not part of the OIDC protocol but a
> Keycloak specific extension. This parameter gets its value from: Clients ->
> {client name} -> Revocation*
> *We set this option to none hoping that it will not be included in the
> response, however what I got was [‘not-before-policy’] => 0. So we couldn’t
> find a way to remove this parameter from the response. You need to contact
> Keycloak and ask them if there is any way to remove this parameter from the
> response, since it is not part of the OIDC protocol.*"
> 
> 
> Well, yes, it's a Keycloak-specific extension, but they shouldn't be
> crashing because it's there, AFAIK they should be just ignoring this in the
> token and proceeding with the login process.
> 
> Based on our experience so far, we are going to have a hard time
> "convincing" them about that, though, so I was wondering if Keycloak allows
> us to disable the not-before-policy to a specific client, or even in the
> realm at all?
> 
> If not, any pieces of advice on how to support the fact that they should
> not be crashing on the client side? I'm afraid I don't now Oidc/Oauth2
> specs broadly enough so far to be sure about that and sustain my opinion.
> 
> Cheers,
>

More information about the keycloak-user mailing list