[keycloak-user] gatekeeper - refresh access token on every access

Wed Sep 18 04:40:49 EDT 2019

Sorry for the double mail, I’m new to mailing lists. 😊

I also noticed that when my *refresh* token expired, I get a new access token for 5 min, and there are no further logs during the access token lifetime as expected :

1.5687957954167793e+09  info    accces token for user has expired, attemping to refresh the token {"client_ip": "127.0.0.1:40522", "email": "julien.goux at live.fr"}
1.56879579542948e+09    error   failed to refresh the access token      {"error": "invalid_grant: Refresh token expired"}
1.5687957958162918e+09  info    issuing access token for user   {"email": " julien.goux at live.fr ", "expires": "2019-09-18T08:41:35Z", "duration": "4m59.183711073s"}

But the logs are back once the *access* token expired after 5 min. (like in my previous mail)

De : Julien Goux <julien.goux at live.fr>
Envoyé : mercredi 18 septembre 2019 10:16
À : keycloak-user at lists.jboss.org
Objet : gatekeeper - refresh access token on every access

Hello,

I’m using gatekeeper behind a nginx server.

Gatekeeper’s logs are pretty obvious until my first access token expired (5 min lifetime). After this period, it seems that gatekeeper is refreshing the token on every access.

Here are the logs for *3 * accesses after the first access token has expired, I have the same log for every further access :

1.5687944022004497e+09  info    accces token for user has expired, attemping to refresh the token {"client_ip": "127.0.0.1:40312", "email": "julien.goux at live.fr<mailto:julien.goux at live.fr>"}
1.5687944022271063e+09  info    injecting the refreshed access token cookie     {"client_ip": "127.0.0.1:40312", "cookie_name": "kc-access", "email": " julien.goux at live.fr<mailto:julien.goux at live.fr> ", "refresh_expires_in": 1800, "expires_in": 299.772897193}
1.5687944027145464e+09  info    accces token for user has expired, attemping to refresh the token {"client_ip": "127.0.0.1:40318", "email": " julien.goux at live.fr<mailto:julien.goux at live.fr> "}
1.5687944027320542e+09  info    injecting the refreshed access token cookie     {"client_ip": "127.0.0.1:40318", "cookie_name": "kc-access", "email": " julien.goux at live.fr<mailto:julien.goux at live.fr> ", "refresh_expires_in": 1800, "expires_in": 299.26794899}

1.568794442552826e+09   info    accces token for user has expired, attemping to refresh the token {"client_ip": "127.0.0.1:40328", "email": " julien.goux at live.fr<mailto:julien.goux at live.fr> "}
1.568794442570195e+09   info    injecting the refreshed access token cookie     {"client_ip": "127.0.0.1:40328", "cookie_name": "kc-access", "email": " julien.goux at live.fr<mailto:julien.goux at live.fr> ", "refresh_expires_in": 1800, "expires_in": 299.429808309}

Why does gatekeeper keeps refreshing the access token on every access instead of deliverying a new one for 5 min ?

Thanks for your help.