[keycloak-user] Refresh_token error after keycloak cluster restart
Mariusz Chruscielewski - Info.nl
mariusz at info.nl
Mon Dec 17 04:53:24 EST 2018
Hi. We run 2 keycloak nodes, configured as cluster, with infinispan cache to keep sessions alive after keycloak restart.
We use keycloak from 2 places, website (using Keycloak Tomcat Adapter) and from mobile app.
Keycloak version currently used is 3.4.3
After keycloak is restarted, it all works fine on website, after attempt to use website, I see following message in keycloak log:
2018-12-17 09:23:49,814 WARN [org.keycloak.events] (default task-3) type=REFRESH_TOKEN_ERROR, realmId=vi, clientId=vinl, userId=55aaa7ad-d4f9-40c1-af1a-c5c2baa4efe5, ipAddress=172.23.11.105, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=9f1a1f58-77b8-4823-8e3c-1d6a8c58b870, client_auth_method=client-secret
2018-12-17 09:23:49,935 DEBUG [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-4) PKCE non-supporting Client
2018-12-17 09:23:49,950 DEBUG [org.keycloak.protocol.AuthorizationEndpointBase] (default task-4) Sent request to authz endpoint. We don't have root authentication session with ID '60e3ed59-191a-416b-bc95-c77c684d8855' but we have userSession.Re-created root authentication session with same ID. Client is: vinl . New authentication session tab ID: 4FyAEpyxlE0
2018-12-17 09:23:49,986 DEBUG [org.keycloak.protocol.oidc.TokenManager] (default task-4) Using full scope for client
2018-12-17 09:23:50,121 INFO [org.keycloak.services] (default task-4) [BROWSER] LOGIN Viafoura session table is not updated because it's identical: [vi_ef3920ff8a625b187a7e04a2f6328aafde805fd05148ea457eebef9d5f6005a97dd7c46e16ff265591a0c9ba98547353_60e3ed59-191a-416b-bc95-c77c684d8855] user [mariusz at info.nl] on [Mon Dec 17 09:23:50 CET 2018]
2018-12-17 09:23:50,145 DEBUG [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4) redirectAccessCode: state: c196bdca-a896-4880-9ab0-d2e96e85cf3a
For app, flow is:
* User log in using browser view, on keycloak login page
* Token and refreshToken are stored in app
After keycloak is restarted, app tries to refresh token, and gets:
2018-12-17 10:08:37,717 WARN [org.keycloak.events] (default task-11) type=REFRESH_TOKEN_ERROR, realmId=vi, clientId=vinl, userId=1d8e3db1-9976-48d6-af7e-02aa6ed126dc, ipAddress=92.67.76.89, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=869ddaec-b68a-4695-9f88-222852a302fe, client_auth_method=client-secret
Response from REST call is:
{
"error": "invalid_grant",
"error_description": "Session doesn't have required client"
}
Can you please help me to solve that issue?
Regards
Mariusz
More information about the keycloak-user
mailing list