Boundary keycloak oidc

I have set this up as close as I can to the auth0 tutorial and have it working through the keycloak login but something is happening at the callback I guess. might be obvious in that error but im at a lose, Thanks

“authentication-error?error=authmethod_service.%28Service%29.authenticateOidcCallback%3A+Callback+validation+failed.%3A+parameter+violation%3A+error+%23100%3A+oidc.Callback%3A+unable+to+complete+exchange+with+oidc+provider%3A+unknown%3A+error+%230%3A+Provider.Exchange%3A+id_token+failed+verification%3A+Provider.VerifyIDToken%3A+auth_time+%282021-04-19+18%3A43%3A48±0500+CDT%29+is+beyond+max+age+%2830%29%3A+expired+auth_time”

We’ll be surfacing that error better on the error page in the future but you can see in that string that the auth time is beyond the set max-age. This might indicate out-of-sync system clocks, or just that you need to change the max-age setting you’re using.

Did you attempt to set the max-age to 0, like in the activate OIDC auth section?

boundary auth-methods update oidc -id amoidc_q7jAdI1QgA -issuer "https://ISSUER_URL/" -max-age 0

I did but then set it to 30 afterwards and did not seem to work, but this is the issue, as if I set it to 3000 it works fixed timezone and its working. Thanks for the help!

1 Like

Yep it’s seconds IIRC so you’d have to have logged into your IdP within the last 30 seconds. Something longer is probably ideal :smiley: