How to allow auth_time to be 0 #788

electerious · 2025-05-08T13:50:15Z

electerious
May 8, 2025

I'm getting the following error when doing a genericGrantRequest using password:

ID Token "auth_time" (authentication time) must be a positive number

The auth_time is actually 0. This is what Keycloak sends when using "Direct access grants". I guess that the auth_time is 0, because the user itself never authenticated / was never redirect to Keycloak and was authenticated using a system with username and password.

I couldn't find a way to disable this check in the openid-client nor to modify this behaviour in Keycloak.

Shouldn't this check be optional? It wasn't a problem in v5.

Answered by electerious

May 9, 2025

Turns out that the behaviour has changed and is fixed in the newest Version auf Keycloak. auth_time now has the correct value even when using the direct access grant :)

View full answer

panva · 2025-05-09T07:59:44Z

panva
May 9, 2025
Maintainer

I am not able to neither articulate a passable justification for the value check, nor accept the reasoning for the value used by keycloak.

0 replies

electerious · 2025-05-09T11:36:22Z

electerious
May 9, 2025
Author

Turns out that the behaviour has changed and is fixed in the newest Version auf Keycloak. auth_time now has the correct value even when using the direct access grant :)

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

How to allow auth_time to be 0 #788

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

How to allow auth_time to be 0 #788

Uh oh!

Uh oh!

electerious May 8, 2025

Replies: 2 comments

Uh oh!

Uh oh!

panva May 9, 2025 Maintainer

Uh oh!

electerious May 9, 2025 Author

electerious
May 8, 2025

panva
May 9, 2025
Maintainer

electerious
May 9, 2025
Author