From 5b47df89791b223d28b15fa51397bb3619346bcc Mon Sep 17 00:00:00 2001
From: mhajas <mhajas@redhat.com>
Date: Wed, 10 Apr 2019 09:54:42 +0200
Subject: [PATCH] KEYCLOAK-10013 Do not reject tokens with issuedAt ==
 notBefore

---
 .../RefreshableKeycloakSecurityContext.java   |  2 +-
 ...efreshableKeycloakSecurityContextTest.java | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java
index 81d096635e..1a3851d1eb 100755
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java
@@ -76,7 +76,7 @@ public class RefreshableKeycloakSecurityContext extends KeycloakSecurityContext
     }
 
     public boolean isActive() {
-        return token != null && this.token.isActive() && deployment!=null && this.token.getIssuedAt() > deployment.getNotBefore();
+        return token != null && this.token.isActive() && deployment!=null && this.token.getIssuedAt() >= deployment.getNotBefore();
     }
 
     public boolean isTokenTimeToLiveSufficient(AccessToken token) {
diff --git a/adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/RefreshableKeycloakSecurityContextTest.java b/adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/RefreshableKeycloakSecurityContextTest.java
index 390680a4a7..08fd3b3407 100644
--- a/adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/RefreshableKeycloakSecurityContextTest.java
+++ b/adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/RefreshableKeycloakSecurityContextTest.java
@@ -4,6 +4,8 @@ import org.junit.Test;
 import org.keycloak.representations.oidc.TokenMetadataRepresentation;
 
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
 /**
  * @author github.com/tubbynl
  *
@@ -20,4 +22,21 @@ public class RefreshableKeycloakSecurityContextTest {
 		// verify false if null deployment (KEYCLOAK-3050; yielded a npe)
 		assertFalse(sut.isActive());
 	}
+
+	@Test
+	public void sameIssuedAtAsNotBeforeIsActiveKEYCLOAK10013() {
+		KeycloakDeployment keycloakDeployment = new KeycloakDeployment();
+		keycloakDeployment.setNotBefore(5000);
+
+		TokenMetadataRepresentation token = new TokenMetadataRepresentation();
+		token.setActive(true);
+		token.issuedAt(4999);
+
+		RefreshableKeycloakSecurityContext sut = new RefreshableKeycloakSecurityContext(keycloakDeployment,null,null,token,null, null, null);
+
+		assertFalse(sut.isActive());
+
+		token.issuedAt(5000);
+		assertTrue(sut.isActive());
+	}
 }