[keycloak-user] Offline Tokens Become Useless When SSO Session Max is Reached - 2.0
Heide, Marc
heide at 365farmnet.com
Tue May 2 08:43:12 EDT 2017
Hi,
We try to use Keycloak with offline tokens for end users, but in contradiction to
https://lists.jboss.org/pipermail/keycloak-user/2017-January/009096.html
where the Admin API is requested, we try to access the UserInfo enpoint.
As soon as the user session died, which has created the offline token, the UserInfo endpoint returns a 401 with:
{
"error": "invalid_request",
"error_description": "User session not found"
}
By looking at
https://issues.jboss.org/browse/KEYCLOAK-4201 and
https://issues.jboss.org/browse/KEYCLOAK-4371
and without really knowing the internals, but could it be the same problem here in the UserInfoEndpoint class line 142 ?
It obviously does not consider offline sessions at all. Is that a wanted behavior?
According to the OIDC spec the UserInfo endpoint should be usable with a valid offline access token even if the user session has been ended.
(http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess)
Best Regards
Marc
More information about the keycloak-user
mailing list