It is possible that Ken is seeing something different. I will take a look
into it to be sure.
Best regards,
Stefan
On Wed, Feb 13, 2019, 13:43 Marek Posolda <mposolda(a)redhat.com wrote:
We have PR open, which is related to that [1], but not sure if that
PR
fixes also your issue. It seems there is nothing related to client
sessions. I am CCing Stefan in case he has some more to it.
In the meantime, if you are curious if fix works, I suggest to
cherry-pick Stefan's commit and build Keycloak and check if the
behaviour is fixed with that PR.
[1]
https://github.com/keycloak/keycloak/pull/5852
Marek
On 13/02/2019 14:15, Ken Haendel wrote:
> I have a problem authenticating a spring secured web-app using keycloak
> 4.8.3.
>
> If the user logs in with remember-me enabled, the user session does use
> a larger SSO max life span (ssoSessionMaxLifespanRememberMe).
>
> So far so good.
>
> Now i want to call another secured REST-API using the
KeycloakRestService.
>
> That triggers OAuthRequestAuthenticator to verify token
> (AdapterTokenVerifier.verifyTokens).
>
> That operation fails, because the client session expired much earlier
> (after ssoSessionMaxLifespan). The client session gets removed from the
> client session cache
> (InfinispanUserSessionProvider.removeExpiredUserSessions).
>
> Error message of AdapterTokenVerifier.verifyTokens() is:
>
> "ERROR RefreshableKeycloakSecurityContext Refresh token failure status:
> 400
{"error":"invalid_grant","error_description":"Session
doesn't have
> required client"}"
>
>
> So, the point is: after the client session gets removed from cache (SSO
> max life span) i can no longer use the refresh token to request new
> tokens and call another REST-API service
>
> using the same identity as the web-app.
>
> Even though i have still a valid user session to use my spring app.
>
>
> Expectation was: I can use refresh token within the larger time span
> with remember-me enabled (SsoSessionMaxLifespanRememberMe).
>
> Actual behaviour is: Refresh token gets useless within the shorter time
> span (ssoSessionMaxLifespan)
>
> Question: Why is the client session removed so early and not when the
> user session expires? Is that expected behavoiur?
>
> Thank you in advance,
>
> Ken
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev