[keycloak-user] Is it possible to disable not-before-policy token? Oidc client is crashing because it's there

Dmitry Telegin demetrio at carretti.pro
Mon May 27 18:09:03 EDT 2019 

On Mon, 2019-05-27 at 19:00 +0200, Stian Thorgersen wrote:
> Can't remember if this was converted to a protocol mapper or not, if it is
> then you should be able to just remove the protocol mapper. If it's not
> open a feature request and better yet a pr.

The problematic "not-before-policy" is not a claim, it's a part of token response, and it is hardcoded as a @JsonProperty. But the client library is indeed buggy (and unmaintained for 5 years), see my reply to OP for details.

Dmitry

> 
> On Mon, 27 May 2019, 13:45 Bruno Medeiros, <brunojcm at gmail.com> wrote:
> 
> > Hi, everyone.
> > 
> > First off, I've been using Keycloak in production for quite a while now, it
> > is working great, thanks everyone involved!
> > 
> > I'm trying to add a new Oidc client now which is a third-party cloud
> > service, and they are struggling to handle CODE_TO_TOKEN Keycload response.
> > The error that shows up to the user is:
> > 
> > Invalid response: [InoOicClient\Entity\Exception\InvalidMethodException]
> > Invalid method InoOicClient\Oic\Token\Response::setNot-before-policy()
> > 
> > After a few emails with their support team, they said:
> > 
> > "*... The error is related to the “not-before-policy” parameter that is
> > included in the response which is not part of the OIDC protocol but a
> > Keycloak specific extension. This parameter gets its value from: Clients ->
> > {client name} -> Revocation*
> > *We set this option to none hoping that it will not be included in the
> > response, however what I got was [‘not-before-policy’] => 0. So we couldn’t
> > find a way to remove this parameter from the response. You need to contact
> > Keycloak and ask them if there is any way to remove this parameter from the
> > response, since it is not part of the OIDC protocol.*"
> > 
> > 
> > Well, yes, it's a Keycloak-specific extension, but they shouldn't be
> > crashing because it's there, AFAIK they should be just ignoring this in the
> > token and proceeding with the login process.
> > 
> > Based on our experience so far, we are going to have a hard time
> > "convincing" them about that, though, so I was wondering if Keycloak allows
> > us to disable the not-before-policy to a specific client, or even in the
> > realm at all?
> > 
> > If not, any pieces of advice on how to support the fact that they should
> > not be crashing on the client side? I'm afraid I don't now Oidc/Oauth2
> > specs broadly enough so far to be sure about that and sustain my opinion.
> > 
> > Cheers,
> > 
> > --
> > BrunoJCM
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list