11:31 a.m.
Some time ago we got a bug report for Gatekeeper related with refresh
token revocation[1]. Here are the steps to reproduce:
"In keycloak, menu Tokens, set "revoke refresh token" to ON with value
set to 0. This means refresh token can be used only once.
Gain access with a session through keycloak-gatekeeper, wait token
expiry, try calling a resource: this works. Now wait again for a second
token expiry. try calling a resource: failure - the refresh token has
expired"
From my perspective, it looks like the expected behavior and not a
bug.
If the access token has expired in the first time, the refresh token was
used to obtain a new one and request access to the resource. So in the
second request, failure should be expected.
So it's better to ask. What is the expected behavior when "revoke
refresh token" is set to 0 from the adapters? I tried to look at our docs,
but couldn't find anything.
[1] - https://issues.jboss.org/browse/KEYCLOAK-9870
--
abstractj
12:51 p.m.
It seems to be a bug. The first time you refresh, refresh count is 0, the
second time is 1, which is expected to fail. You should be able to continue
refreshing tokens if you are using the last RT obtained from the server.
If you look docs, this is basically a security layer to deal with
compromised RTs.
On Thu, Jun 27, 2019 at 1:58 PM Bruno Oliveira <bruno(a)abstractj.org> wrote:
Some time ago we got a bug report for Gatekeeper related with
refresh
token revocation[1]. Here are the steps to reproduce:
"In keycloak, menu Tokens, set "revoke refresh token" to ON with value
set to 0. This means refresh token can be used only once.
Gain access with a session through keycloak-gatekeeper, wait token
expiry, try calling a resource: this works. Now wait again for a second
token expiry. try calling a resource: failure - the refresh token has
expired"
>From my perspective, it looks like the expected behavior and not a bug.
If the access token has expired in the first time, the refresh token was
used to obtain a new one and request access to the resource. So in the
second request, failure should be expected.
So it's better to ask. What is the expected behavior when "revoke
refresh token" is set to 0 from the adapters? I tried to look at our docs,
but couldn't find anything.
[1] - https://issues.jboss.org/browse/KEYCLOAK-9870
--
abstractj
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
1:10 p.m.
Thank you Pedro, that helps. Now it's clear what is expected from "Refresh Token
Max Reuse" when 0 is set.
On 2019-06-27, Pedro Igor Silva wrote:
It seems to be a bug. The first time you refresh, refresh count is 0,
the
second time is 1, which is expected to fail. You should be able to continue
refreshing tokens if you are using the last RT obtained from the server.
If you look docs, this is basically a security layer to deal with
compromised RTs.
On Thu, Jun 27, 2019 at 1:58 PM Bruno Oliveira <bruno(a)abstractj.org> wrote:
> Some time ago we got a bug report for Gatekeeper related with refresh
> token revocation[1]. Here are the steps to reproduce:
>
> "In keycloak, menu Tokens, set "revoke refresh token" to ON with
value
> set to 0. This means refresh token can be used only once.
>
> Gain access with a session through keycloak-gatekeeper, wait token
> expiry, try calling a resource: this works. Now wait again for a second
> token expiry. try calling a resource: failure - the refresh token has
> expired"
>
> >From my perspective, it looks like the expected behavior and not a bug.
> If the access token has expired in the first time, the refresh token was
> used to obtain a new one and request access to the resource. So in the
> second request, failure should be expected.
>
> So it's better to ask. What is the expected behavior when "revoke
> refresh token" is set to 0 from the adapters? I tried to look at our docs,
> but couldn't find anything.
>
> [1] - https://issues.jboss.org/browse/KEYCLOAK-9870
>
> --
>
> abstractj
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
abstractj
12:31 a.m.
Gatekeeper should indeed always update the refresh token with the latest
obtained from Keycloak after refreshing tokens. There's at least 3 reasons
for this:
* Key rotation - as a realm rotates its keys it will issue new refersh
tokens with the new keys on token refresh
* Max re-use - refresh tokens can be single-use as you mentioned
* Other updates - refresh tokens are opaque and the authorization server
can use it for whatever purpose it wants. We don't currently do any updates
to the claims within, but we could in the future and other authorization
servers may already do so
So, yes this is a bug in Gatekeeper
On Thu, 27 Jun 2019 at 20:18, Bruno Oliveira <bruno(a)abstractj.org> wrote:
Thank you Pedro, that helps. Now it's clear what is expected from
"Refresh
Token Max Reuse" when 0 is set.
On 2019-06-27, Pedro Igor Silva wrote:
> It seems to be a bug. The first time you refresh, refresh count is 0, the
> second time is 1, which is expected to fail. You should be able to
continue
> refreshing tokens if you are using the last RT obtained from the server.
>
> If you look docs, this is basically a security layer to deal with
> compromised RTs.
>
> On Thu, Jun 27, 2019 at 1:58 PM Bruno Oliveira <bruno(a)abstractj.org>
wrote:
>
> > Some time ago we got a bug report for Gatekeeper related with refresh
> > token revocation[1]. Here are the steps to reproduce:
> >
> > "In keycloak, menu Tokens, set "revoke refresh token" to ON with
value
> > set to 0. This means refresh token can be used only once.
> >
> > Gain access with a session through keycloak-gatekeeper, wait token
> > expiry, try calling a resource: this works. Now wait again for a
second
> > token expiry. try calling a resource: failure - the refresh token has
> > expired"
> >
> > >From my perspective, it looks like the expected behavior and not a
bug.
> > If the access token has expired in the first time, the refresh token
was
> > used to obtain a new one and request access to the resource. So in the
> > second request, failure should be expected.
> >
> > So it's better to ask. What is the expected behavior when "revoke
> > refresh token" is set to 0 from the adapters? I tried to look at our
docs,
> > but couldn't find anything.
> >
> > [1] - https://issues.jboss.org/browse/KEYCLOAK-9870
> >
> > --
> >
> > abstractj
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
--
abstractj
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2003
days inactive
2004
days old
3 comments
3 participants
participants (3)
-
Bruno Oliveira -
Pedro Igor Silva -
Stian Thorgersen