Hello,
I am having an issue with a refresh token I have requested using scope=offline_access
becoming stale. This is with Keycloak 3.4.3 backed by a PostgreSQL database running on
OpenShift Online.
After turning on some trace logging I get the following stack trace:
[0m09:34:54,407 TRACE [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default
task-12) Stale token: org.keycloak.OAuthErrorException: Stale token
at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:185)
at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:248)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.refreshTokenGrant(TokenEndpoint.java:419)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:174)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...
Which, in the source code, seems to correspond with these lines:
if (oldToken.getIssuedAt() < session.users().getNotBeforeOfUser(realm, user)) {
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale
token");
}
https://github.com/keycloak/keycloak/blob/517588ecca8e8749c70c7a28706fc40...
My Offline Session Idle for the realm is set to 30 days which was definitely not
breached.
Can anyone tell me what the not before of the user is and how do I set its value?