Keycloak: Account for millisecond truncation of action-token expirati…

…on marker in SessionPropagationActionTokenHandler
thomasdarimont · Dec 11, 2023 · 5206be7 · 5206be7
1 parent 598c4f5
commit 5206be7
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/...homasdarimont/keycloak/custom/endpoints/offline/SessionPropagationActionTokenHandler.java b/...homasdarimont/keycloak/custom/endpoints/offline/SessionPropagationActionTokenHandler.java
@@ -40,7 +40,7 @@ public Response handleToken(SessionPropagationActionToken token, ActionTokenCont
 
         // mark token as consumed
         var singleUseObjectProvider = session.getProvider(SingleUseObjectProvider.class);
-        singleUseObjectProvider.put(token.serializeKey(), token.getExp() - Time.currentTime(), null); // Token is invalidated
+        singleUseObjectProvider.put(token.serializeKey(), token.getExp() - Time.currentTime() + 1, null); // mark token as invalidated, +1 second to account for rounding to seconds
 
         var authSession = tokenContext.getAuthenticationSession();
         var authenticatedUser = authSession.getAuthenticatedUser();