Client Sessions Timing Out Too Early - Ignoring Client Level Session Settings #15829
Description
Area
core
Describe the bug
Early expiration issues occur for clients using the Authorization Code grant type when Client level settings of Client Session Idle or Client Session Max have greater values than the corresponding Realm level token settings of SSO Session Idle, SSO Session Max, Client Session Idle and Client Session Max.
For example:
Realm:
SSO Session Idle: 12 hours
SSO Session Max: 12 hours
Client Session Idle: 5 minutes
Client Session Max: 1 hours
Client:
Client Session Idle: 30 mins
Client Session Max: 12 hour
In these circumstances, Client Sessions expire too early. In the example above, the client session expires when the session is idle for about 8 or so minutes rather than the expected 30 minutes.
When an attempt is made to refresh a token, the following error occurs:
"error": "invalid_grant",
"error_description": "Session doesn't have required client"
This happens as the the client session has been removed from cache (Infinispan). Note: the expiry times on the tokens have been calculated correctly. The issue is in the cache expiry logic.
The problem was introduced with this PR #7736 and was logged as an issue in the Red Hat repository https://issues.redhat.com/browse/KEYCLOAK-17111. It looks like the issue is not explicitly logged in this repository.
The logic in the SessionsTimeout class takes no account of the Client level settings for Client Session Idle and Client Session max.
Version
18.0.2, 20
Expected behavior
For the example given in the bug description with the settings below, the Client Session should not expire before it has been idle for at least 30 mins or active for 12 hours.
Realm:
SSO Session Idle: 12 hours
SSO Session Max: 12 hours
Client Session Idle: 5 minutes
Client Session Max: 1 hours
Client:
Client Session Idle: 30 mins
Client Session Max: 12 hour
Actual behavior
For the example given in the bug description with the settings below, the Client Session is expiring after the user is idle for about 8 minutes.
Realm
SSO Session Idle: 12 hours
SSO Session Max: 12 hours
Client Session Idle: 5 minutes
Client Session Max: 1 hours
Client:
Client Session Idle: 30 mins
Client Session Max: 12 hour
How to Reproduce?
- Start a fresh Keycloak instance.
- Create a test realm
- Create a test client in the test realm that uses OpenId connect with an Access Type of public
- Create a test user in the test realm
- Configure the session idle/max settings.
Realm:
SSO Session Idle: 12 hours
SSO Session Max: 12 hours
Client Session Idle: 5 minutes
Client Session Max: 1 hours
Test client:
Client Session Idle: 30 mins
Client Session Max: 12 hours
- Use a REST API client to obtain an access token and refresh token for the test user via the Authorization Code grant type.
- Wait 15 minutes. Note: it is important not to use the Keycloak admin console to view sessions during this time as this stops the user session being idle.
- Use the Keycloak admin console to view the test user's sessions. It can be observed that the client session is no longer linked to the user session.
- Try to use the refresh token to obtain a new access token. An error occurs - see below
"error": "invalid_grant",
"error_description": "Session doesn't have required client"
Anything else?
We have worked around this issue by setting no values for the Realm level Client Session Idle and Max settings. This means that the cache expiry logic uses the SSO Session Idle and SSO Session Max on the Realm which are (naturally and unsurprisingly) higher than our client expiry time-outs. We are effectively using these Realm level settings to control expiry of cached client sessions. We're using the settings of Client Session Idle and Client Session max on each of our clients to manage the actual expiry of tokens.