keycloak-services does not properly validate certificates. Lack of validation on the certificate timestamp validity allows an expired certificate to be accepted by Keycloak’s direct-grant authenticator.
direct-grant