[keycloak-dev] Why does client session expire regardless remember-me extended validity?

Ken Haendel kschwiersch at yahoo.de
Thu Feb 14 07:34:26 EST 2019 

Hi Stefan, Marek


Thank you for your quick reply.

I have recently tested your pull request [1], if that fixes my issue 
with the expired client session cache and it does NOT. It only fixes an 
issue with the user session cache.

My proposal to fix that problem would be as follows (verified here):

diff --git 
a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java 
b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java
index b1429a6391..54cb244624 100755
--- 
a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java
+++ 
b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java
@@ -529,7 +529,7 @@ public class InfinispanUserSessionProvider 
implements UserSessionProvider {
          localClientSessionCacheStoreIgnore
                  .entrySet()
                  .stream()
- 
.filter(AuthenticatedClientSessionPredicate.create(realm.getId()).expired(expired))
+ 
.filter(AuthenticatedClientSessionPredicate.create(realm.getId()).expired(expiredRememberMe))


Using that change, the life span of the client session would be longer 
for remember-me logins.

Can you please check if that makes sense for you?

It would be nice if a fix could be added in the next releases to make it 
unnecessary to patch the further release :-)

Kind regards,

Ken


[1] https://github.com/keycloak/keycloak/pull/5852

Am 13.02.19 um 18:27 schrieb Stefan Guilhen:
> It is possible that Ken is seeing something different. I will take a 
> look into it to be sure.
>
> Best regards,
> Stefan
>
> On Wed, Feb 13, 2019, 13:43 Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com> wrote:
>
>     We have PR open, which is related to that [1], but not sure if
>     that PR
>     fixes also your issue. It seems there is nothing related to client
>     sessions. I am CCing Stefan in case he has some more to it.
>
>     In the meantime, if you are curious if fix works, I suggest to
>     cherry-pick Stefan's commit and build Keycloak and check if the
>     behaviour is fixed with that PR.
>
>     [1] https://github.com/keycloak/keycloak/pull/5852
>
>     Marek
>
>     On 13/02/2019 14:15, Ken Haendel wrote:
>     > I have a problem authenticating a spring secured web-app using
>     keycloak
>     > 4.8.3.
>     >
>     > If the user logs in with remember-me enabled, the user session
>     does use
>     > a larger SSO max life span (ssoSessionMaxLifespanRememberMe).
>     >
>     > So far so good.
>     >
>     > Now i want to call another secured REST-API using the
>     KeycloakRestService.
>     >
>     > That triggers OAuthRequestAuthenticator to verify token
>     > (AdapterTokenVerifier.verifyTokens).
>     >
>     > That operation fails, because the client session expired much
>     earlier
>     > (after ssoSessionMaxLifespan). The client session gets removed
>     from the
>     > client session cache
>     > (InfinispanUserSessionProvider.removeExpiredUserSessions).
>     >
>     > Error message of AdapterTokenVerifier.verifyTokens() is:
>     >
>     > "ERROR RefreshableKeycloakSecurityContext Refresh token failure
>     status:
>     > 400 {"error":"invalid_grant","error_description":"Session
>     doesn't have
>     > required client"}"
>     >
>     >
>     > So, the point is: after the client session gets removed from
>     cache (SSO
>     > max life span) i can no longer use the refresh token to request new
>     > tokens and call another REST-API service
>     >
>     > using the same identity as the web-app.
>     >
>     > Even though i have still a valid user session to use my spring app.
>     >
>     >
>     > Expectation was: I can use refresh token within the larger time span
>     > with remember-me enabled (SsoSessionMaxLifespanRememberMe).
>     >
>     > Actual behaviour is: Refresh token gets useless within the
>     shorter time
>     > span (ssoSessionMaxLifespan)
>     >
>     > Question: Why is the client session removed so early and not
>     when the
>     > user session expires? Is that expected behavoiur?
>     >
>     > Thank you in advance,
>     >
>     > Ken
>     >
>     >
>     > _______________________________________________
>     > keycloak-dev mailing list
>     > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>

More information about the keycloak-dev mailing list