Offline tokens created in Keycloak 9 will not work on Keycloak 25 #31224
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
oidc
Describe the bug
Offline tokens created in Keycloak 9 will not work on Keycloak 25
Keycloak 9 refresh tokens did not include a sid claim, which is now used for the session identifier when looking up an offline session.
When an upgraded instance of Keycloak 25 receives this offline token, it will not be able to look up the session because the sid claim and associated session identifier is null.
Uncaught server error: java.lang.NullPointerException: Null keys are not supported!
at java.base/java.util.Objects.requireNonNull(Objects.java:235)
at org.infinispan.cache.impl.CacheImpl.assertKeyNotNull(CacheImpl.java:210)
at org.infinispan.cache.impl.CacheImpl.get(CacheImpl.java:549)
at org.infinispan.cache.impl.CacheImpl.get(CacheImpl.java:545)
at org.infinispan.cache.impl.EncoderCache.get(EncoderCache.java:735)
at org.keycloak.models.sessions.infinispan.changes.InfinispanChangelogBasedTransaction.get(InfinispanChangelogBasedTransaction.java:140)
at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getUserSessionEntity(InfinispanUserSessionProvider.java:347)
at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getUserSession(InfinispanUserSessionProvider.java:275)
at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getOfflineUserSession(InfinispanUserSessionProvider.java:817)
at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider.getOfflineUserSession(InfinispanUserSessionProvider.java:94)
at org.keycloak.services.managers.UserSessionManager.findOfflineUserSession(UserSessionManager.java:75)
at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:152)
at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:402)
at org.keycloak.protocol.oidc.grants.RefreshTokenGrantType.process(RefreshTokenGrantType.java:76)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:140)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint$quarkusrestinvoker$processGrantRequest_6408e15340992839b66447750c221d9aaa837bd7.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:840)
Version
25.0.1
Regression
- The issue is a regression
Expected behavior
This could go two ways - implement some backwards compatibility of some kind to allow these to continue to work OR it is called out explicitly in the upgrading guide so administrators can communicate to their users to get new tokens.
Actual behavior
Offline sessions fail / administrators not aware upgrading to Keycloak 25 would break offline sessions created in a prior instance.
How to Reproduce?
Deploy Keycloak 9, create a client that can receive offline token, save the offline token, upgrade the Keycloak instance to 25, attempt to use the offline token.
Anything else?
sid claim added - 8c1ea60
session_state removed - b4f791b