Description

When a realm-level notBefore revocation is applied (e.g., via global logout or the "Not Before" revocation policy), the OIDC token introspection endpoint still returns active=true for tokens issued before the realm cutoff, if the client also has a client-level notBefore value configured. The client-level notBefore takes precedence instead of using the more restrictive of the two values.

This causes resource servers that rely on introspection to continue honoring tokens that should have been invalidated by the realm-wide revocation.

Version affected

All current versions.

Expected behavior

When both realm-level and client-level notBefore values are set, token introspection should use the more recent (higher) of the two values. A token issued before the realm-level notBefore cutoff should be reported as active=false, regardless of the client-level notBefore value.

Actual behavior

Token introspection evaluates only the client-level notBefore value when it is present, ignoring the realm-level notBefore. Tokens issued before the realm-level revocation cutoff are returned as active=true if they were issued after the client-level notBefore.

Steps to reproduce

1. Authenticate as a user or client and obtain a valid access token
2. Set a client-level notBefore value on the client (e.g., via "Not Before" in the client settings)
3. Advance the realm-level notBefore by triggering a realm-wide revocation (e.g., global logout or setting the realm "Not Before" policy to the current time)
4. Call the OIDC introspection endpoint with the token obtained in step 1
5. Observe that the response returns active=true, even though the token was issued before the realm-level notBefore cutoff

This issue was originally tracked in the private repository. Migrated by @abstractj.