Description

A timing issue in our token revocation and expiration within Keycloak OIDC. The mismatch occurs because the cache calculates token lifespans in milliseconds, whereas the expiry checks are in seconds. This mismatch leads to a one-second window where an expired token, already removed from the cache, is still erroneously considered valid. For the complexity to exploit this is considered a weakness.

This is valid for one second and the malicious attacker must have access to the token in this meantime meaning it should already be compromised or fastly accessed. Also, after this timeframe the token is invalid forever and no further actions may be done. Confidentiality and Integrity are set as Low as this normally would affect a single user.

Version

>= 23.0.4

References:

• https://issues.redhat.com/browse/RHSSO-2853