[keycloak-user] Unable To Use Refresh Token

Marek Posolda mposolda at redhat.com
Thu Mar 9 03:26:18 EST 2017 

Yes, that will be useful. Feel free to create JIRA. As a workaround, you 
can write the REST endpoint provider, which will check the status of the 
caches. See our "providers/rest" example in the keycloak-examples 
distribution on how to write REST endpoint.

Marek

On 09/03/17 07:20, Andrew Zenk wrote:
> Beyond looking at debug log output, is there a way to check on the health
> of the cache?  It would be useful here.  I know there's a feature request
> open for a health endpoint but, to my knowledge, it hasn't been worked on
> yet.  Ideally I'd like to be able to verify that all nodes are joined to
> the cluster and that all data has been replicated/balanced appropriately.
>
> Anyway, if you turn up logging a bit you should see some output from one of
> the jgroups packages showing the current cluster members.  I've been using
> the kube_ping module successfully for discovery on openshift.
>
> On Wed, Mar 8, 2017 at 11:41 PM, Sagar Ahire <sagarahire at arvindinternet.com>
> wrote:
>
>> I tried with standalone-ha.xml, still facing the same issue.
>>
>> regards,
>>   -Sagar
>>
>> On Tue, Mar 7, 2017 at 7:50 PM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:
>>
>>> Depending on your setup, you should be using either standalone-ha.xml
>>> or standalone-full-ha.xml to run in cluster.
>>>
>>> --Hynek
>>>
>>> On Tue, Mar 7, 2017 at 2:52 PM, Sagar Ahire
>>> <sagarahire at arvindinternet.com> wrote:
>>>> I'm using the standard keycloak 2.4.0 docker image, I modified the
>>>> standalone.xml in docker file. I've increased owners count to 4.
>>> following
>>>> are the tags I changed in *standalone.xml*.
>>>> <distributed-cache name="sessions" mode="SYNC" owners="4"/>
>>>> <distributed-cache name="offlineSessions" mode="SYNC" owners="4"/>
>>>> <distributed-cache name="loginFailures" mode="SYNC" owners="4"/>
>>>> <distributed-cache name="authorization" mode="SYNC" owners="4"/>
>>>>
>>>> But still facing the same issue. Is standalone.xml the correct file I
>>> need
>>>> to change? or I'm missing something here.
>>>>
>>>>
>>>> regards,
>>>>   -Sagar
>>>>
>>>> On Mon, Mar 6, 2017 at 7:31 PM, Andrew Zenk <azenk at umn.edu> wrote:
>>>>
>>>>> Have you increased the owner count for the various caches to something
>>>>> greater than 1?
>>>>>
>>>>> On Mar 6, 2017 7:56 AM, "Sagar Ahire" <sagarahire at arvindinternet.com>
>>>>> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I've deployed keyclock 2.4.0 in a kubernetes environment. While
>>> refreshing
>>>>>> the access token I'm getting following response.
>>>>>> {'error': 'invalid_grant', 'error_description': 'Client session not
>>>>>> active'}.
>>>>>>
>>>>>> Here is what I did:
>>>>>> Step1: First, I generated three access tokens and refresh tokens
>>>>>> (rf1,rf2,rf3), then I used this refresh_tokens to refresh the access
>>>>>> tokens. I got the access tokens successfully for all three requests.
>>>>>> (Successful scenario)
>>>>>>
>>>>>> Step2: I restarted some of the pods from the keyclock cluster, I
>>> tried to
>>>>>> refresh the access tokens using the same refresh tokens(rf1,rf2,rf3)
>>>>>> again,
>>>>>> using rf1 I could refresh the access token but using rf2,rf3 I got the
>>>>>> response mentioned above ('client session not active'). I made sure
>>> rf2
>>>>>> and
>>>>>> rf3 are not expired.
>>>>>>
>>>>>> I'm unable to use refresh token even though it is not expired. I
>>> suspect
>>>>>> session created on one pod is not properly shared between all the
>>> members
>>>>>> of a cluster and I'm loosing the session if one of my pod is
>>> restarted or
>>>>>> goes down.
>>>>>>
>>>>>> Can someone please suggest any solution for this? Any help would be
>>>>>> greatly
>>>>>> appreciated.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> regards,
>>>>>>   -Sagar
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>> --
>>>
>>> --Hynek
>>>
>>
>

More information about the keycloak-user mailing list