Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: Documentation
Labels:
- help-wanted

Blocked:
False
Ready:
False
Epic Link:
RHSSO 7.5.2
Git Pull Request:
https://gitlab.cee.redhat.com/keycloak/keycloak-documentation-prod/-/merge_requests/74

SFDC Cases Links:
SFDC Cases Counter:

Description

Keycloak's OTP Policy contains a setting for "Look Ahead Window" which is described as "How far ahead should the server look just in case the token generator and server are
out of time sync or counter sync?"

In my testing with TOTP, it appears to actually be a look behind window. Keycloak accepts older one time codes, but not newer ones.

The API documentation also specifies:

@param lookAheadWindow the number of previous intervals that should be used to validate tokens.

And the implementation matches the API documentation https://github.com/keycloak/keycloak/blob/master/server-spi-private/src/main/java/org/keycloak/models/utils/TimeBasedOTP.java#L79

In any case, Keycloak should accept skew in both directions, so look ahead and look behind, to compensate for both kinds of clock skew.

Attachments

Issue Links

mentioned on

Merge request - Correcting Looking around

Activity

People

Assignee:: Andrew Munro

Reporter:: Maximilian Gaß (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2022/02/23 12:56 PM

Updated:: 2023/10/13 11:00 AM

Resolved:: 2022/03/18 12:34 PM