We have PR open, which is related to that [1], but not sure if that PR
fixes also your issue. It seems there is nothing related to client
sessions. I am CCing Stefan in case he has some more to it.
In the meantime, if you are curious if fix works, I suggest to
cherry-pick Stefan's commit and build Keycloak and check if the
behaviour is fixed with that PR.
[1]
https://github.com/keycloak/keycloak/pull/5852
Marek
On 13/02/2019 14:15, Ken Haendel wrote:
I have a problem authenticating a spring secured web-app using
keycloak
4.8.3.
If the user logs in with remember-me enabled, the user session does use
a larger SSO max life span (ssoSessionMaxLifespanRememberMe).
So far so good.
Now i want to call another secured REST-API using the KeycloakRestService.
That triggers OAuthRequestAuthenticator to verify token
(AdapterTokenVerifier.verifyTokens).
That operation fails, because the client session expired much earlier
(after ssoSessionMaxLifespan). The client session gets removed from the
client session cache
(InfinispanUserSessionProvider.removeExpiredUserSessions).
Error message of AdapterTokenVerifier.verifyTokens() is:
"ERROR RefreshableKeycloakSecurityContext Refresh token failure status:
400
{"error":"invalid_grant","error_description":"Session
doesn't have
required client"}"
So, the point is: after the client session gets removed from cache (SSO
max life span) i can no longer use the refresh token to request new
tokens and call another REST-API service
using the same identity as the web-app.
Even though i have still a valid user session to use my spring app.
Expectation was: I can use refresh token within the larger time span
with remember-me enabled (SsoSessionMaxLifespanRememberMe).
Actual behaviour is: Refresh token gets useless within the shorter time
span (ssoSessionMaxLifespan)
Question: Why is the client session removed so early and not when the
user session expires? Is that expected behavoiur?
Thank you in advance,
Ken
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev