[keycloak-user] can't use refresh token with keycloak-gatekeeper

Andrey Kozichev akozichev at gmail.com
Tue Nov 20 19:01:06 EST 2018 

Hello!
has anyone come across use of refresh tokens with keyckloak-gatekeeper?

I've got a Web app running behind keycloak-gatekeeper. Currently session
expires after 5 minutes of inactivity. In the logs I see "session expired
and access token refreshing is disabled".

To avoid this, I am trying to enable "refresh tokens" on my gatekeeper
proxy by adding "*--enable-refresh-tokens=true"* , the full list of
configuration options:


        - --client-id=my_clientid
        - --discovery-url=<keycloak_url>
        - --enable-default-deny=false
        - --enable-json-logging=true
        - --enable-logging=true
        - --enable-request-id=true
        - --enable-encrypted-token=true
        - --encryption-key=<secret>
*        - --enable-refresh-tokens=true*
        - --enable-security-filter=true
        - --listen=0.0.0.0:8080
        - --preserve-host=true
        - --redirection-url=http://my-public-url
        - --resources=uri=/*|roles=user-role
        - --upstream-url=myservice.svc.cluster.local:8080

However after adding "*enable-refresh-tokens=true*" - I get 502 when trying
to login.
In the Gatekeeper logs I see below lines. Has anyone came across this? I
must be missing something obvious.


{"level":"info","ts":1542757702.835068,"msg":"issuing access token for
user","email":"myemail at gmail.com
","expires":"2018-11-20T23:53:22Z","duration":"4m59.164934314s"}

{"level":"info","ts":1542757702.8363702,"msg":"client
request","latency":0.05726285,"status":307,"bytes":37,"client_ip":"
10.44.1.32:60746","method":"GET","path":"/oauth/callback"}

*{"level":"error","ts":1542757702.8891447,"msg":"no session found in
request, redirecting for authorization","error":"authentication session not
found"}*

{"level":"info","ts":1542757702.8892436,"msg":"client
request","latency":0.000152955,"status":307,"bytes":75,"client_ip":"
10.44.1.32:60752","method":"GET","path":"/favicon.ico"}

{"level":"info","ts":1542757703.03116,"msg":"client
request","latency":0.001002773,"status":307,"bytes":319,"client_ip":"
10.44.1.32:60754","method":"GET","path":"/oauth/authorize"}

{"level":"info","ts":1542757703.108161,"msg":"issuing access token for
user","email":"myemail at gmail.com
","expires":"2018-11-20T23:53:23Z","duration":"4m59.891841634s"}

{"level":"info","ts":1542757703.109042,"msg":"client
request","latency":0.021427778,"status":307,"bytes":48,"client_ip":"
10.44.1.32:60758","method":"GET","path":"/oauth/callback"}


Regards,
Andrey

More information about the keycloak-user mailing list