I have a problem authenticating a spring secured web-app using keycloak
4.8.3.
If the user logs in with remember-me enabled, the user session does use
a larger SSO max life span (ssoSessionMaxLifespanRememberMe).
So far so good.
Now i want to call another secured REST-API using the KeycloakRestService.
That triggers OAuthRequestAuthenticator to verify token
(AdapterTokenVerifier.verifyTokens).
That operation fails, because the client session expired much earlier
(after ssoSessionMaxLifespan). The client session gets removed from the
client session cache
(InfinispanUserSessionProvider.removeExpiredUserSessions).
Error message of AdapterTokenVerifier.verifyTokens() is:
"ERROR RefreshableKeycloakSecurityContext Refresh token failure status:
400
{"error":"invalid_grant","error_description":"Session
doesn't have
required client"}"
So, the point is: after the client session gets removed from cache (SSO
max life span) i can no longer use the refresh token to request new
tokens and call another REST-API service
using the same identity as the web-app.
Even though i have still a valid user session to use my spring app.
Expectation was: I can use refresh token within the larger time spanĀ
with remember-me enabled (SsoSessionMaxLifespanRememberMe).
Actual behaviour is: Refresh token gets useless within the shorter time
span (ssoSessionMaxLifespan)
Question: Why is the client session removed so early and not when the
user session expires? Is that expected behavoiur?
Thank you in advance,
Ken