[keycloak-user] ODP: Refresh_token error after keycloak cluster restart

Mariusz Chruscielewski - Info.nl mariusz at info.nl
Mon Dec 17 09:42:48 EST 2018 

To explain my case a bit more, what I do is:

First I get token using:
POST https://test.vi.nl/auth/realms/vi/protocol/openid-connect/token
scope: openid
client_id: myClient
Grant_type: password
Username: username
password: password
Response_type: code

Then I save token, restart both keycloak nodes (which work in cluster)

Then I try to do:
POST https://test.vi.nl/auth/realms/vi/protocol/openid-connect/token
scope: openid
client_id: myClient
grant_type: refresh_token
refresh_token: TOKEN
response_type: code

And that request fails with status 400 and response:
{
"error": "invalid_grant",
"error_description": "Session doesn't have required client"
}

What can I do to make that work?

Regards
Mariusz

-----Wiadomość oryginalna-----
Od: Mariusz Chruscielewski - Info.nl 
Wysłano: Monday, 17 December, 2018 13:19
Do: Mariusz Chruscielewski - Info.nl <mariusz at info.nl>; keycloak-user <keycloak-user at lists.jboss.org>
Temat: ODP: Refresh_token error after keycloak cluster restart

What I also found, during debug, is that TokenManager is able to find userSession, with all details, but can't getAuthenticatedClientSessionByClient (line 162, tokenManager.java)

This is what I see in debug, is that UserSessionAdapter has entity field (UsersSessionEntity), and this Entity contains authenticatedClientSessions (with session ID, and correct clientID). So I don't understand why this call:

userSession.getAuthenticatedClientSessionByClient(client.getId())

Is returning null. Also this:
userSession.getAuthenticatedClientSessions()

returns empty list.

Do you know, if that might be caused by some misconfiguration? 

Regards
Mariusz



-----Wiadomość oryginalna-----
Od: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> W imieniu Mariusz Chruscielewski - Info.nl
Wysłano: Monday, 17 December, 2018 10:53
Do: keycloak-user <keycloak-user at lists.jboss.org>
Temat: [keycloak-user] Refresh_token error after keycloak cluster restart

Hi. We run 2 keycloak nodes, configured as cluster, with infinispan cache to keep sessions alive after keycloak restart.

We use keycloak from 2 places, website (using Keycloak Tomcat Adapter) and from mobile app.

Keycloak version currently used is 3.4.3

After keycloak is restarted, it all works fine on website, after attempt to use website, I see following message in keycloak log:

2018-12-17 09:23:49,814 WARN  [org.keycloak.events] (default task-3) type=REFRESH_TOKEN_ERROR, realmId=vi, clientId=vinl, userId=55aaa7ad-d4f9-40c1-af1a-c5c2baa4efe5, ipAddress=172.23.11.105, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=9f1a1f58-77b8-4823-8e3c-1d6a8c58b870, client_auth_method=client-secret
2018-12-17 09:23:49,935 DEBUG [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint] (default task-4) PKCE non-supporting Client
2018-12-17 09:23:49,950 DEBUG [org.keycloak.protocol.AuthorizationEndpointBase] (default task-4) Sent request to authz endpoint. We don't have root authentication session with ID '60e3ed59-191a-416b-bc95-c77c684d8855' but we have userSession.Re-created root authentication session with same ID. Client is: vinl . New authentication session tab ID: 4FyAEpyxlE0
2018-12-17 09:23:49,986 DEBUG [org.keycloak.protocol.oidc.TokenManager] (default task-4) Using full scope for client
2018-12-17 09:23:50,121 INFO  [org.keycloak.services] (default task-4) [BROWSER] LOGIN Viafoura session table is not updated because it's identical: [vi_ef3920ff8a625b187a7e04a2f6328aafde805fd05148ea457eebef9d5f6005a97dd7c46e16ff265591a0c9ba98547353_60e3ed59-191a-416b-bc95-c77c684d8855] user [mariusz at info.nl] on [Mon Dec 17 09:23:50 CET 2018]
2018-12-17 09:23:50,145 DEBUG [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-4) redirectAccessCode: state: c196bdca-a896-4880-9ab0-d2e96e85cf3a


For app, flow is:

  *   User log in using browser view, on keycloak login page
  *   Token and refreshToken are stored in app



After keycloak is restarted, app tries to refresh token, and gets:





2018-12-17 10:08:37,717 WARN  [org.keycloak.events] (default task-11) type=REFRESH_TOKEN_ERROR, realmId=vi, clientId=vinl, userId=1d8e3db1-9976-48d6-af7e-02aa6ed126dc, ipAddress=92.67.76.89, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=869ddaec-b68a-4695-9f88-222852a302fe, client_auth_method=client-secret



Response from REST call is:
{
"error": "invalid_grant",
"error_description": "Session doesn't have required client"

}



Can you please help me to solve that issue?



Regards

Mariusz
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list