Some time ago we got a bug report for Gatekeeper related with refresh
token revocation[1]. Here are the steps to reproduce:
"In keycloak, menu Tokens, set "revoke refresh token" to ON with value
set to 0. This means refresh token can be used only once.
Gain access with a session through keycloak-gatekeeper, wait token
expiry, try calling a resource: this works. Now wait again for a second
token expiry. try calling a resource: failure - the refresh token has
expired"
From my perspective, it looks like the expected behavior and not a
bug.
If the access token has expired in the first time, the refresh token was
used to obtain a new one and request access to the resource. So in the
second request, failure should be expected.
So it's better to ask. What is the expected behavior when "revoke
refresh token" is set to 0 from the adapters? I tried to look at our docs,
but couldn't find anything.
[1] -
https://issues.jboss.org/browse/KEYCLOAK-9870
--
abstractj