keycloak/keycloak

EntraID: Sometimes "Token no longer valid" issue with max_age=0

Open

#46.078 aberto em 6 de fev. de 2026

Ver no GitHub
 (2 comments) (2 reactions) (1 assignee)Java (8.346 forks)batch import
area/identity-brokeringhelp wantedkind/bugpriority/normalstatus/auto-bumpteam/core-iam

Métricas do repositório

Stars
 (34.398 stars)
Métricas de merge de PR
 (Mesclagem média 6d 19h) (384 fundiu PRs em 30d)

Description

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

Our Keycloak is used as broker between our application and a Microsoft EntraID IdP (registered application is multitenant). For regulatory reasons, we need the "Signature" feature in the application make the user authenticate again even if the last authentication was 2s ago. So we set the max_age parameter to 0. It works well for the authorization: user must select account and enter password. But sometimes, it fails for Keycloak to validate the Token.

We enabled to store the token so I could have it when we have a success to validate token. We noticed in the id_token that:

  • iat and nbf are 5 minutes before the user authentication
  • exp and auth_time have the same value (now) So sometimes Keycloak is too late for the exp claim and we have the message in "Token no longer valid" in the logs.

The Clock Skew value in the IdP setting doesn't change anything.

Version

26.0.5

Regression

  • The issue is a regression

Expected behavior

As exp has the same value as auth_time and Keycloak can have a delay to validate the token. We would like the Clock Skew to be used for exp validation.

Actual behavior

The Clock Skew is not used for exp validation in the id_token

How to Reproduce?

Create a registered application in Azure EntraID (I think that a single tenant application is enough to reproduce). And a Identity Provider in the Keycloak Realm. We can edit the Authorization endpoint to add directly the parameter "?max_age=0" at the end of the URL.

Then we can try to connect to the Keycloak /realms/{REALM}/account/ with this IdP Once authenticated on EntraID, we get back to Keycloak with our code and sometimes we have the issue. Maybe you have to destroy this user session and reload the Keycloak URL to reproduce.

Anything else?

I suggest these changes in org.keycloak.representations.JsonWebToken

-Add this method @JsonIgnore public boolean isExpired(long allowedTimeSkew) { return exp != null && exp != 0 && Time.currentTime() - allowedTimeSkew > exp; }

  • Replace this method @JsonIgnore public boolean isActive(int allowedTimeSkew) { return !isExpired(allowedTimeSkew) && isNotBefore(allowedTimeSkew); }

Guia do colaborador