Closed Eng-Fouad closed 1 year ago
/cc @pedroigor (oidc), @sberyozkin (oidc)
@Eng-Fouad iat
is a mandatory claim in OIDC. I've noticed you opened a PR to Keycloak, so that should resolve the issue, right ?
@Eng-Fouad
iat
is a mandatory claim in OIDC. I've noticed you opened a PR to Keycloak, so that should resolve the issue, right ?
What about adding custom config that makes the claim as optional? Similar to smallrye.jwt.time-to-live=-1
: #17622
Or is it against OIDC specs?
@Eng-Fouad If we were dealing with some legacy providers which can't be fixed any more then it would likely be worth considering - but we are dealing with a very active Keycloak project here, with your fix on the way, so right now it seems reasonable just to get a new version of Keycloak rather than relax OIDC verification - without iat
, its optional token age configuration becomes loose.
It is required for ID tokens but not strictly required in any texts for access tokens. We might be able to relax it for access tokens only
You are right. I am closing this issue and will wait for Keycloak fix to merged.
@Eng-Fouad Sounds good, we can revisit this issue if necessary, please re-open later if needed
@sberyozkin BTW, is there a temp workaround to customize the JWT parser? I can see TokenCustomizer::customizeHeaders
in 3.2.0
, but that's just for headers. My goal is to bypass iat
check.
Hi @sberyozkin , I would very much appreciate it if the iat claim cloud become optional via config properties. Not everyone uses Keycloak but still uses the oidc dependency to verify the tokens via the public key. As I need multi tenancy I cannot use the Quarkus Smallrye JWT dependency as that does not support multi tenancy (the two different key signing algorithms also differ).
Now my code fails because my JWT doesn't have the iat claim (as i use nbf and exp):
rejected due to invalid claims or other invalid content. Additional details: [[3] No Issued At (iat) claim present.]
Describe the bug
quarkus-oidc
currently enforcesiat
as mandatory claim and there is no way to make it as optional:https://github.com/quarkusio/quarkus/blob/e59f6d4a7983fa87ad217d629740813043beecd3/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcProvider.java#L175
When CIBA flow is used with Keycloak, Keycloak will call the endpoint that is specified in
--spi-ciba-auth-channel-ciba-http-auth-channel-http-authentication-channel-uri
and will pass JWT inAuthorization
header. This JWT has noiat
claim.I got the following error:
Expected behavior
No response
Actual behavior
No response
How to Reproduce?
No response
Output of
uname -a
orver
No response
Output of
java -version
No response
GraalVM version (if different from Java)
No response
Quarkus version or git rev
No response
Build tool (ie. output of
mvnw --version
orgradlew --version
)No response
Additional information
No response