6:34 a.m.
Hi Stefan, Marek
Thank you for your quick reply.
I have recently tested your pull request [1], if that fixes my issue
with the expired client session cache and it does NOT. It only fixes an
issue with the user session cache.
My proposal to fix that problem would be as follows (verified here):
diff --git
a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java
b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java
index b1429a6391..54cb244624 100755
---
a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java
+++
b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java
@@ -529,7 +529,7 @@ public class InfinispanUserSessionProvider
implements UserSessionProvider {
localClientSessionCacheStoreIgnore
.entrySet()
.stream()
-
.filter(AuthenticatedClientSessionPredicate.create(realm.getId()).expired(expired))
+
.filter(AuthenticatedClientSessionPredicate.create(realm.getId()).expired(expiredRememberMe))
Using that change, the life span of the client session would be longer
for remember-me logins.
Can you please check if that makes sense for you?
It would be nice if a fix could be added in the next releases to make it
unnecessary to patch the further release :-)
Kind regards,
Ken
[1] https://github.com/keycloak/keycloak/pull/5852
Am 13.02.19 um 18:27 schrieb Stefan Guilhen:
It is possible that Ken is seeing something different. I will take a
look into it to be sure.
Best regards,
Stefan
On Wed, Feb 13, 2019, 13:43 Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com> wrote:
We have PR open, which is related to that [1], but not sure if
that PR
fixes also your issue. It seems there is nothing related to client
sessions. I am CCing Stefan in case he has some more to it.
In the meantime, if you are curious if fix works, I suggest to
cherry-pick Stefan's commit and build Keycloak and check if the
behaviour is fixed with that PR.
[1] https://github.com/keycloak/keycloak/pull/5852
Marek
On 13/02/2019 14:15, Ken Haendel wrote:
> I have a problem authenticating a spring secured web-app using
keycloak
> 4.8.3.
>
> If the user logs in with remember-me enabled, the user session
does use
> a larger SSO max life span (ssoSessionMaxLifespanRememberMe).
>
> So far so good.
>
> Now i want to call another secured REST-API using the
KeycloakRestService.
>
> That triggers OAuthRequestAuthenticator to verify token
> (AdapterTokenVerifier.verifyTokens).
>
> That operation fails, because the client session expired much
earlier
> (after ssoSessionMaxLifespan). The client session gets removed
from the
> client session cache
> (InfinispanUserSessionProvider.removeExpiredUserSessions).
>
> Error message of AdapterTokenVerifier.verifyTokens() is:
>
> "ERROR RefreshableKeycloakSecurityContext Refresh token failure
status:
> 400
{"error":"invalid_grant","error_description":"Session
doesn't have
> required client"}"
>
>
> So, the point is: after the client session gets removed from
cache (SSO
> max life span) i can no longer use the refresh token to request new
> tokens and call another REST-API service
>
> using the same identity as the web-app.
>
> Even though i have still a valid user session to use my spring app.
>
>
> Expectation was: I can use refresh token within the larger time span
> with remember-me enabled (SsoSessionMaxLifespanRememberMe).
>
> Actual behaviour is: Refresh token gets useless within the
shorter time
> span (ssoSessionMaxLifespan)
>
> Question: Why is the client session removed so early and not
when the
> user session expires? Is that expected behavoiur?
>
> Thank you in advance,
>
> Ken
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev