Thanks to visit codestin.com
Credit goes to github.com

Skip to content

USER_SESSION_NOT_FOUND during token validation with valid access token #39958

New issue
New issue
Closed as not planned
Closed as not planned
USER_SESSION_NOT_FOUND during token validation with valid access token#39958
Labels
area/oidcIndicates an issue on OIDC areakind/bugCategorizes a PR related to a bugstatus/auto-expirestatus/expired-by-botteam/core-clients
@zadm

Description

@zadm
zadm
opened on May 26, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

At the first login, we successfully obtain an access token, and the application loads correctly.

However, after refreshing the page, the user is unexpectedly logged out, and the following warning appears in the Keycloak logs:

2025-05-26 09:23:13,420 WARN  [org.keycloak.events] (executor-thread-458) 
type="USER_INFO_REQUEST_ERROR", 
realmId="Internal-idp", 
realmName="Internal-idp", 
clientId="client_id", 
userId="null", 
sessionId="9bf20467-e549-46e5-b9f1-2692726d638b", 
ipAddress="x.x.x.x", 
error="user_session_not_found", 
auth_method="validate_access_token"

This suggests that although the token is valid, the associated user session is not found, leading to the application being unable to restore the user's session after the page reload.

Version

26.2.3

Regression

  • The issue is a regression

Expected behavior

After the first successful login and token issuance, the user should remain authenticated across page reloads. The access token should continue to be valid, and Keycloak should correctly associate it with an active user session, allowing the application to restore the session seamlessly without forcing a logout.

Actual behavior

After the initial login, the application loads correctly. However, upon refreshing the page, the user is logged out unexpectedly

How to Reproduce?

Upgarde from keycloak 25 to 26.2.3 with the bellow configuration

Docker file

ARG VENDOR_VERSION=26.2.3
# hadolint ignore=DL3006
FROM registry.access.redhat.com/ubi9 AS ubi-micro-build
ARG VENDOR_VERSION=26.2.3
RUN mkdir -p /mnt/rootfs

# hadolint ignore=DL3041
RUN dnf install --installroot /mnt/rootfs curl git tar jq openssl java-21-openjdk-devel which glibc-langpack-en --releasever 9 --setopt install_weak_deps=false --nodocs -y && \
    dnf --installroot /mnt/rootfs clean all && \
    rpm --root /mnt/rootfs -e --nodeps setup
    
FROM quay.io/keycloak/keycloak:${VENDOR_VERSION} as builder

ARG KEYCLOAK_METRICS_SPI_RELEASE=7.0.0
ENV KC_DB=postgres
ENV KC_HTTP_RELATIVE_PATH=/auth
ENV KC_CACHE_CONFIG_FILE=cache-ispn.xml
ENV KC_HEALTH_ENABLED=true
ENV KC_FEATURES=token-exchange,scripts,user-event-metrics
# Metrics
ENV KC_EVENT_METRICS_USER_ENABLED=true
ENV KC_METRICS_ENABLED=true

ADD --chown=keycloak:keycloak https://github.com/aerogear/keycloak-metrics-spi/releases/download/${KEYCLOAK_METRICS_SPI_RELEASE}/keycloak-metrics-spi-${KEYCLOAK_METRICS_SPI_RELEASE}.jar /opt/keycloak/providers/keycloak-metrics-spi.jar

RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:${VENDOR_VERSION}
ARG VENDOR_VERSION=26.2.3
ARG KEYCLOAK_METRICS_SPI_RELEASE=7.0.0
ARG GIT_REPO=keycloak/keycloak
ARG KEYCLOAK_DIST=https://github.com/keycloak/keycloak/releases/download/${VENDOR_VERSION}/keycloak-${VENDOR_VERSION}.tar.gz

COPY --from=ubi-micro-build /mnt/rootfs /
COPY --from=builder /etc /etc
COPY --from=builder /opt/keycloak/lib/quarkus/ /opt/keycloak/lib/quarkus/

USER root

COPY --chown=keycloak:keycloak themes /opt/keycloak/themes

ADD --chown=keycloak:keycloak https://github.com/aerogear/keycloak-metrics-spi/releases/download/${KEYCLOAK_METRICS_SPI_RELEASE}/keycloak-metrics-spi-${KEYCLOAK_METRICS_SPI_RELEASE}.jar /opt/keycloak/providers/keycloak-metrics-spi.jar


USER keycloak
ENTRYPOINT [ "/opt/keycloak/bin/kc.sh" ]
CMD [ "start", "--optimized" ]

HEALTHCHECK --start-period=30s --interval=30s --timeout=3s --retries=5 \
            CMD curl --silent --fail --request GET http://localhost:9000/auth/health \
                | jq --exit-status '.status == "UP"' || exit 1

environment variables

JAVA_OPTS=-Xms128M -Xmx512M -XX:MetaspaceSize=384M -XX:MaxMetaspaceSize=256M -Djava.net.preferIPv4Stack=true
JAVA_OPTS_APPEND=-Dkeycloak.profile.feature.upload_scripts=enabled
KC_DB_PASSWORD=PASSWORD
KC_DB_URL=DB_URL
KC_DB_URL_DATABASE=keycloak
KC_DB_URL_HOST=DB_HOST
KC_DB_USERNAME=keycloak
KC_EVENT_METRICS_USER_ENABLED=true
KC_EVENT_METRICS_USER_TAGS=realm,idp,clientId
KC_HOSTNAME=KC_HOSTNAME
KC_HOSTNAME_ADMIN=KC_HOSTNAME_ADMIN
KC_HOSTNAME_STRICT=false
KC_HOSTNAME_STRICT_BACKCHANNEL=false
KC_HTTP_ENABLED=true
KC_HTTP_METRICS_HISTOGRAMS_ENABLED=true
KC_LOG_LEVEL=INFO
KC_METRICS_ENABLED=true
KC_PROXY_HEADERS=xforwarded
KC_SPI_CONNECTIONS_INFINISPAN_QUARKUS_SITE_NAME=dev
KEYCLOAK_REMOTE_ISPN_CONN_TIMEOUT=5000
KEYCLOAK_REMOTE_ISPN_SOCK_TIMEOUT=60000
QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY=true

Anything else?

Even after disabling the new feature PERSISTENT_USER_SESSIONS the issue still here

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/oidcIndicates an issue on OIDC areakind/bugCategorizes a PR related to a bugstatus/auto-expirestatus/expired-by-botteam/core-clients

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions