Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Refresh token with offline_access scope affected by session idle/session max #9299

New issue
New issue
Closed as not planned
Closed as not planned
Refresh token with offline_access scope affected by session idle/session max#9299
Assignees
mposoldarmartinc
Labels
area/oidcIndicates an issue on OIDC areakind/bugCategorizes a PR related to a bug
Milestone
22.0.0
@yamsergey-oviva

Description

@yamsergey-oviva
yamsergey-oviva
opened on Dec 22, 2021

Describe the bug

Hello there.

My keycloak configured with:

SSO Session Idle = 30m
SSO Session Max = 30m

And my refresh token with offline_access scope has interesting lifetime:

  • If the client inactive for more than 30m, then when I use the refresh token to fetch new access token keycloak's response is:
{
  "error": "invalid_grant",
  "error_description": "Session doesn't have required client"
}
  • If the client do at least one authentication request within 30m span then keycloack successfully provide me with new accept token and works fine until previous scenario happens.

According to the documentation refresh token with offline scope shouldn't be affected by any of session idle/max.

Any ideas?

Version

14.0.0

Expected behavior

Keycloak provides access token

Actual behavior

{
  "error": "invalid_grant",
  "error_description": "Session doesn't have required client"
}

How to Reproduce?

Scnerio: Refresh token is not valid

  • Login with scope offline_access
  • Wait for session idle timeout to pass
  • Make request to fetch new access token

Scnerio: Refresh token is valid

  • Login with scope offline_access
  • Wait for time less than session idle timeout
  • Make request to fetch new access token

I've bash script to reproduce the behaviour. First scenarios requires sleep 2100s and second something like sleep 1500s

#!/bin/bash

KC_SERVER=''
KC_REALM=''
KC_CLIENT=''
USERNAME=''
PASSWORD=''

KC_TOKEN_ENDPOINT=$KC_SERVER/auth/realms/$KC_REALM/protocol/openid-connect/token

echo "URL: $KC_TOKEN_ENDPOINT"

refresh_token=`curl -k \
-d "client_id=$KC_CLIENT" \
--data-urlencode "username=$USERNAME" \
-d "password=$PASSWORD" \
-d "grant_type=password" \
-d "scope=openid offline_access" \
$KC_TOKEN_ENDPOINT | jq -r '.refresh_token'` 

echo $refresh_token

echo `date`
echo 'waiting ...'

sleep 2100s

curl -k \
 -d "client_id=$KC_CLIENT" \
 -d "grant_type=refresh_token" $KC_SERVER/auth/realms/$KC_REALM/protocol/openid-connect/token \
 -d "refresh_token=$refresh_token" | jq
echo `date`

Anything else?

Refresh token from keycloak is correct one:

{
  "iat": 1640106070,
  "jti": "{id}",
  "iss": "{my keycloack}",
  "aud": "{my keycloack},
  "sub": "{id},
  "typ": "Offline",
  "azp": "{my client}",
  "session_state": "{id}",
  "scope": "openid offline_access"
}

Metadata

Metadata

Assignees

Labels

area/oidcIndicates an issue on OIDC areakind/bugCategorizes a PR related to a bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions