KEYCLOAK-10013 Do not reject tokens with issuedAt == notBefore

adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java

@@ -76,7 +76,7 @@ public class RefreshableKeycloakSecurityContext extends KeycloakSecurityContext
     }
 
     public boolean isActive() {
-        return token != null && this.token.isActive() && deployment!=null && this.token.getIssuedAt() > deployment.getNotBefore();
+        return token != null && this.token.isActive() && deployment!=null && this.token.getIssuedAt() >= deployment.getNotBefore();
     }
 
     public boolean isTokenTimeToLiveSufficient(AccessToken token) {

adapters/oidc/adapter-core/src/test/java/org/keycloak/adapters/RefreshableKeycloakSecurityContextTest.java

@@ -4,6 +4,8 @@ import org.junit.Test;
 import org.keycloak.representations.oidc.TokenMetadataRepresentation;
 
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
 /**
  * @author github.com/tubbynl
  *
@@ -20,4 +22,21 @@ public class RefreshableKeycloakSecurityContextTest {
 		// verify false if null deployment (KEYCLOAK-3050; yielded a npe)
 		assertFalse(sut.isActive());
 	}
+
+	@Test
+	public void sameIssuedAtAsNotBeforeIsActiveKEYCLOAK10013() {
+		KeycloakDeployment keycloakDeployment = new KeycloakDeployment();
+		keycloakDeployment.setNotBefore(5000);
+
+		TokenMetadataRepresentation token = new TokenMetadataRepresentation();
+		token.setActive(true);
+		token.issuedAt(4999);
+
+		RefreshableKeycloakSecurityContext sut = new RefreshableKeycloakSecurityContext(keycloakDeployment,null,null,token,null, null, null);
+
+		assertFalse(sut.isActive());
+
+		token.issuedAt(5000);
+		assertTrue(sut.isActive());
+	}
 }