[keycloak-user] Refesh token error

Thomas Darimont thomas.darimont at googlemail.com
Wed Jun 21 09:44:58 EDT 2017 

Great, thanks!

Göttlich, Thomas <thomas.goettlich at it-informatik.de> schrieb am Mi., 21.
Juni 2017, 15:43:

> Hi,
>
>
>
> I basically did what I described in this issue I posted:
> https://issues.jboss.org/browse/KEYCLOAK-4820
>
> (I unfortunately didn’t have time to prepare the pull request as well as
> the test yet.)
>
>
>
> The main part is extending FilterRequestAuthenticator and overwriting
> changeHttpSessionId() as follows:
>
>
>
> *protected* String changeHttpSessionId( *boolean* pCreate )
>
>   {
>
>     HttpSession session = request.getSession( *false* );
>
>     *if*( session != *null* )
>
>     {
>
>       session.invalidate();
>
>     }
>
>
>
>     *return* *super*.changeHttpSessionId( pCreate );
>
>   }
>
>
>
> To use the custom authenticator we then had to subclass KeycloakOIDCFilter
> and copy doFilter() along with a few other methods because the original
> doFilter() contains this line:
>
>
>
> FilterRequestAuthenticator authenticator = new
> FilterRequestAuthenticator(deployment, tokenStore, facade, request, 8443);
>
>
>
> In our copy of doFilter() we only changed that line to get an instance of
> our custom authenticator.
>
>
>
>
>
> Mit freundlichen Grüßen
>
> i. A. Thomas Göttlich
> -------------------------------------------------------------
> Entwicklung factor:plus
> +49 (0)731 / 9 35 42 -301
> thomas.goettlich at it-informatik.de
> -------------------------------------------------------------
> IT-Informatik GmbH
> Magirus-Deutz-Straße 17, 89077 Ulm
> Fax: +49 (0)731 / 9 35 42 - 130
> www.it-informatik.de
> -------------------------------------------------------------
> Amtsgericht Ulm: HRB 2662
> Sitz der Gesellschaft: Ulm
> USt-IdNr.: DE 145567338
> Geschäftsführender Gesellschafter: Günter Nägele
>
>
>
> *Von:* Thomas Darimont [mailto:thomas.darimont at googlemail.com]
> *Gesendet:* Mittwoch, 21. Juni 2017 15:14
> *An:* Göttlich, Thomas <thomas.goettlich at it-informatik.de>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
> *Betreff:* Re: [keycloak-user] Refesh token error
>
>
>
> Hi Thomas,
>
>
>
> Great you figured this out.
>
>
>
> Would you mind elaborating a bit about  what you did with respect to
> session fixation prevention?
>
>
>
> Cheers,
>
> Thomas
>
>
>
>
>
> Am 21.06.2017 2:55 nachm. schrieb "Göttlich, Thomas" <
> thomas.goettlich at it-informatik.de>:
>
> Never mind, I found the problem (at least I think I did):
>
>
> -          SSO session idle: 1 minute
>
> -          Access token lifespan: 1 minute
>
> When the access token has timed out and the application needs to refresh
> it the sso session has also timed out already, hence the error.
> Setting SSO session idle to 2 minutes or more fixes the issue.
>
> Mit freundlichen Grüßen
>
> i. A. Thomas Göttlich
> -------------------------------------------------------------
> Entwicklung factor:plus
> +49 (0)731 / 9 35 42 -301
> thomas.goettlich at it-informatik.de
> -------------------------------------------------------------
> IT-Informatik GmbH
> Magirus-Deutz-Straße 17, 89077 Ulm
> Fax: +49 (0)731 / 9 35 42 - 130
> www.it-informatik.de
> -------------------------------------------------------------
> Amtsgericht Ulm: HRB 2662
> Sitz der Gesellschaft: Ulm
> USt-IdNr.: DE 145567338
> Geschäftsführender Gesellschafter: Günter Nägele
>
> -----Ursprüngliche Nachricht-----
> Von: keycloak-user-bounces at lists.jboss.org [mailto:
> keycloak-user-bounces at lists.jboss.org] Im Auftrag von Göttlich, Thomas
> Gesendet: Mittwoch, 21. Juni 2017 13:14
> An: keycloak-user at lists.jboss.org
> Betreff: [keycloak-user] Refesh token error
>
>
> Hi there,
>
> we're currently integrating two Java server applications via Keycloak and
> use a subclass of KeycloakOIDCFilter on the client side.
> The subclassing is done mainly to facilitate configuration (which is
> loaded from the database) as well as some adjustments on session fixation
> prevention and login redirect handling.
>
> It works well so far, with one exception: when the access token times out
> and needs to be refreshed, we get the following error:
>
>
> -          Client:
> [org.keycloak.adapters.RefreshableKeycloakSecurityContext] Refresh token
> failure status: 400 {"error":"invalid_grant","error_description":"Refresh
> token expired"}
>
> -          Keycloak: [org.keycloak.events] type=REFRESH_TOKEN_ERROR,
> realmId=our_realm, clientId=our_client, userId=null, ipAddress=127.0.0.1,
> error=invalid_token, grant_type=refresh_token,
> client_auth_method=client-secret
>
> So far I could verify that the refresh token is not null so it seems to
> either be invalid or the request is faulty.
>
> For testing purposes we have set the following timeouts:
>
>
> -          SSO session idle: 1 minute
>
> -          SSO session max: 10 hours
>
> -          Access token lifespan: 1 minute
>
> -          Access token lifespan for implicit flow: 1 minute
>
> The client has the following settings:
>
>
> -          Only standard flow enabled
>
> -          Access type: confidential
>
> -          Client protocol: openid-connect
>
> Any idea what could cause that error or where we should look at?
>
> Thanks in advance,
>
> Thomas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

More information about the keycloak-user mailing list