Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-1892

Revoked Token may be valid for a short time after expiring [GHI#26113]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Description

      A timing issue in our token revocation and expiration within Keycloak OIDC. The mismatch occurs because the cache calculates token lifespans in milliseconds, whereas the expiry checks are in seconds. This mismatch leads to a one-second window where an expired token, already removed from the cache, is still erroneously considered valid. For the complexity to exploit this is considered a weakness.

      This is valid for one second and the malicious attacker must have access to the token in this meantime meaning it should already be compromised or fastly accessed. Also, after this timeframe the token is invalid forever and no further actions may be done. Confidentiality and Integrity are set as Low as this normally would affect a single user.

      Version

      \>= 23.0.4

      References:

            Unassigned Unassigned
            pvlha Pavel Vlha
            Keycloak Core Clients
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: