[keycloak-user] can't use refresh token with keycloak-gatekeeper
Christian Fränkel
Christian.Fraenkel at actico.com
Thu Nov 22 06:26:54 EST 2018
Hi,
I've encountered a similar issue and haven't been able to get the token refresh to work. I've also tried using a persistent boltdb store too without much luck.
My current configuration is the following (discovery url etc. are configured in the yaml config):
- --config=/tmp/service.yaml
- --enable-refresh-tokens
- --enable-encrypted-token
- --enable-logging=true
- --enable-security-filter=true
- --verbose
Here's an excerpt of my logs:
1.5428809565823147e+09 debug keycloak-gatekeeper/middleware.go:337 access permitted to resource {"access": "permitted", "email": "christian.fraenkel at actico.com", "expires": 29.417686616, "resource": "/api/console/*"}
1.5428809566050725e+09 info keycloak-gatekeeper/middleware.go:90 client request {"latency": 0.025043756, "status": 200, "bytes": 0, "client_ip": "192.168.201.89:43778", "method": "POST", "path": "/api/console/proxy"}
1.5428810165834415e+09 debug keycloak-gatekeeper/session.go:51 found the user identity {"id": "b841a9ec-04e6-4284-9eeb-0999d9748900", "name": "chrfra01", "email": "christian.fraenkel at actico.com", "roles": "offline_access,uma_authorization,employee,test:user,kibana:user,account:manage-account,account:manage-account-links,account:view-profile"}
1.5428810165833974e+09 info keycloak-gatekeeper/middleware.go:154 accces token for user has expired, attemping to refresh the token {"client_ip": "192.168.201.89:44036", "email": "christian.fraenkel at actico.com"}
1.5428810168737714e+09 info keycloak-gatekeeper/middleware.go:190 injecting the refreshed access token cookie {"client_ip": "192.168.201.89:44036", "cookie_name": "kc-access", "email": "christian.fraenkel at actico.com", "expires_in": 299.126230477}
1.5428810168739688e+09 debug keycloak-gatekeeper/middleware.go:337 access permitted to resource {"access": "permitted", "email": "christian.fraenkel at actico.com", "expires": -30.873967499, "resource": "/api/console/*"}
1.5428810168941607e+09 info keycloak-gatekeeper/middleware.go:90 client request {"latency": 0.311326585, "status": 200, "bytes": 0, "client_ip": "192.168.201.89:44036", "method": "POST", "path": "/api/console/proxy"}
Once the expiration goes negative each request results in a new "injecting the refreshed access token cookie" line.
Once enough time has passed (expiery > 1500 in my case) I get the following message:
1.5428825166849744e+09 warn keycloak-gatekeeper/middleware.go:175 refresh token has expired, cannot retrieve access token {"client_ip": "192.168.201.89:51046", "email": "christian.fraenkel at actico.com"}
After this line access is no longer possible and I get redirected to the login screen.
I've also found the following comment on a github commit where somebody else is encountering issues with refresh tokens:
https://github.com/keycloak/keycloak-gatekeeper/commit/0bb1c03b03c574542bd601d6f2df77c4dc06bc36#commitcomment-31130509
It would be nice to get the refresh token switch working. I'm also looking for solutions / input on this.
Regards,
Christian
-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> Im Auftrag von Andrey Kozichev
Gesendet: Mittwoch, 21. November 2018 01:01
An: keycloak-user at lists.jboss.org
Betreff: [keycloak-user] can't use refresh token with keycloak-gatekeeper
Hello!
has anyone come across use of refresh tokens with keyckloak-gatekeeper?
I've got a Web app running behind keycloak-gatekeeper. Currently session expires after 5 minutes of inactivity. In the logs I see "session expired and access token refreshing is disabled".
To avoid this, I am trying to enable "refresh tokens" on my gatekeeper proxy by adding "*--enable-refresh-tokens=true"* , the full list of configuration options:
- --client-id=my_clientid
- --discovery-url=<keycloak_url>
- --enable-default-deny=false
- --enable-json-logging=true
- --enable-logging=true
- --enable-request-id=true
- --enable-encrypted-token=true
- --encryption-key=<secret>
* - --enable-refresh-tokens=true*
- --enable-security-filter=true
- --listen=0.0.0.0:8080
- --preserve-host=true
- --redirection-url=http://my-public-url
- --resources=uri=/*|roles=user-role
- --upstream-url=myservice.svc.cluster.local:8080
However after adding "*enable-refresh-tokens=true*" - I get 502 when trying to login.
In the Gatekeeper logs I see below lines. Has anyone came across this? I must be missing something obvious.
{"level":"info","ts":1542757702.835068,"msg":"issuing access token for user","email":"myemail at gmail.com ","expires":"2018-11-20T23:53:22Z","duration":"4m59.164934314s"}
{"level":"info","ts":1542757702.8363702,"msg":"client
request","latency":0.05726285,"status":307,"bytes":37,"client_ip":"
10.44.1.32:60746","method":"GET","path":"/oauth/callback"}
*{"level":"error","ts":1542757702.8891447,"msg":"no session found in request, redirecting for authorization","error":"authentication session not
found"}*
{"level":"info","ts":1542757702.8892436,"msg":"client
request","latency":0.000152955,"status":307,"bytes":75,"client_ip":"
10.44.1.32:60752","method":"GET","path":"/favicon.ico"}
{"level":"info","ts":1542757703.03116,"msg":"client
request","latency":0.001002773,"status":307,"bytes":319,"client_ip":"
10.44.1.32:60754","method":"GET","path":"/oauth/authorize"}
{"level":"info","ts":1542757703.108161,"msg":"issuing access token for user","email":"myemail at gmail.com ","expires":"2018-11-20T23:53:23Z","duration":"4m59.891841634s"}
{"level":"info","ts":1542757703.109042,"msg":"client
request","latency":0.021427778,"status":307,"bytes":48,"client_ip":"
10.44.1.32:60758","method":"GET","path":"/oauth/callback"}
Regards,
Andrey
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list