[keycloak-user] Offline Tokens Become Useless When SSO Session Max is Reached - 2.0

Tuesday, 2 May 2017

Hi,

We try to use Keycloak with offline tokens for end users, but in contradiction to 
https://lists.jboss.org/pipermail/keycloak-user/2017-January/009096.html
where the Admin API is requested, we try to access the UserInfo enpoint. 

As soon as the user session died, which has created the offline token, the UserInfo
endpoint returns a 401 with:
{
  "error": "invalid_request",
  "error_description": "User session not found"
}

By looking at 
https://issues.jboss.org/browse/KEYCLOAK-4201 and
https://issues.jboss.org/browse/KEYCLOAK-4371

and without really knowing the internals, but could it be the same problem here in the
UserInfoEndpoint class line 142 ?
It obviously does not consider offline sessions at all. Is that a wanted behavior?

According to the OIDC spec the UserInfo endpoint should be usable with a valid offline
access token even if the user session has been ended.
(http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess)

Best Regards
Marc

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

[keycloak-user] Offline Tokens Become Useless When SSO Session Max is Reached - 2.0