9:21 a.m.
replying to my own question. Looks like all configuration was correct. The
issues was specific only to the particular test user.
Newly created user works as expected.
After removing Test User from multiple roles/groups the issue disappeared.
Can't tell for sure which group membership was causing it.
Thank you All!
Regards,
Andrey
---
https://getantler.io/
On Wed, 21 Nov 2018 at 00:01, Andrey Kozichev <akozichev(a)gmail.com> wrote:
Hello!
has anyone come across use of refresh tokens with keyckloak-gatekeeper?
I've got a Web app running behind keycloak-gatekeeper. Currently session
expires after 5 minutes of inactivity. In the logs I see "session expired
and access token refreshing is disabled".
To avoid this, I am trying to enable "refresh tokens" on my gatekeeper
proxy by adding "*--enable-refresh-tokens=true"* , the full list of
configuration options:
- --client-id=my_clientid
- --discovery-url=<keycloak_url>
- --enable-default-deny=false
- --enable-json-logging=true
- --enable-logging=true
- --enable-request-id=true
- --enable-encrypted-token=true
- --encryption-key=<secret>
* - --enable-refresh-tokens=true*
- --enable-security-filter=true
- --listen=0.0.0.0:8080
- --preserve-host=true
- --redirection-url=http://my-public-url
- --resources=uri=/*|roles=user-role
- --upstream-url=myservice.svc.cluster.local:8080
However after adding "*enable-refresh-tokens=true*" - I get 502 when
trying to login.
In the Gatekeeper logs I see below lines. Has anyone came across this? I
must be missing something obvious.
{"level":"info","ts":1542757702.835068,"msg":"issuing
access token for
user","email":"myemail@gmail.com
","expires":"2018-11-20T23:53:22Z","duration":"4m59.164934314s"}
{"level":"info","ts":1542757702.8363702,"msg":"client
request","latency":0.05726285,"status":307,"bytes":37,"client_ip":"
10.44.1.32:60746","method":"GET","path":"/oauth/callback"}
*{"level":"error","ts":1542757702.8891447,"msg":"no
session found in
request, redirecting for authorization","error":"authentication
session not
found"}*
{"level":"info","ts":1542757702.8892436,"msg":"client
request","latency":0.000152955,"status":307,"bytes":75,"client_ip":"
10.44.1.32:60752","method":"GET","path":"/favicon.ico"}
{"level":"info","ts":1542757703.03116,"msg":"client
request","latency":0.001002773,"status":307,"bytes":319,"client_ip":"
10.44.1.32:60754","method":"GET","path":"/oauth/authorize"}
{"level":"info","ts":1542757703.108161,"msg":"issuing
access token for
user","email":"myemail@gmail.com
","expires":"2018-11-20T23:53:23Z","duration":"4m59.891841634s"}
{"level":"info","ts":1542757703.109042,"msg":"client
request","latency":0.021427778,"status":307,"bytes":48,"client_ip":"
10.44.1.32:60758","method":"GET","path":"/oauth/callback"}
Regards,
Andrey