Details
-
Bug
-
Resolution: Done
-
Major
-
None
-
None
Description
Keycloak's OTP Policy contains a setting for "Look Ahead Window" which is described as "How far ahead should the server look just in case the token generator and server are
out of time sync or counter sync?"
In my testing with TOTP, it appears to actually be a look behind window. Keycloak accepts older one time codes, but not newer ones.
The API documentation also specifies:
- @param lookAheadWindow the number of previous intervals that should be used to validate tokens.
And the implementation matches the API documentation https://github.com/keycloak/keycloak/blob/master/server-spi-private/src/main/java/org/keycloak/models/utils/TimeBasedOTP.java#L79
In any case, Keycloak should accept skew in both directions, so look ahead and look behind, to compensate for both kinds of clock skew.
Attachments
Issue Links
- mentioned on