Even after the "SSO Session Max" is reached and the "normal" session
is
expired, you should be still able to see the offline session (in the
"Offline access" tab in the admin console). And also you should be still
able to use the offline token to send the refreshToken request and issue
new accessToken, which can then be used to access REST endpoints.
Note that offline token survives even server restart.
You can try to look at our demo example and try the "offline-access-app"
application from it.
Marek
On 11/01/17 11:48, Scott Finlay wrote:
Hi,
We have an application which creates users in Keycloak using offline tokens. But
we're having an issue where Keycloak returns a 401 (unauthorized) when we would try to
make requests to it using an access token generated using our offline token. After some
investigation we found that there exists a setting in Keycloak called "SSO Session
Max" which seems to be an expiration time of the session itself, and after that
amount of time, even if the access or refresh tokens are still valid, the session is
killed. We found that the amount of time between when we last deployed and the first
occurrence of the unauthorized error was 10 hours (the same as the SSO Session Max), and
we tested locally with a short max time and were able to reproduce the problem.
Then we found that when we use the offline token, our code thinks that the refresh token
expiration time is 0 (which is to be expected since it's an offline token), and when
the session lifetime is reached, it continues to use its "unlimited" refresh
token to try to generate new access tokens, and it seems that Keycloak still issues new
access tokens using that refresh token even though the session doesn't exist, and
these tokens don't work. Since Keycloak continues to issue tokens and since it
doesn't tell us anything about the session max time, the code has no idea that the
tokens are actually not valid.
We can see this happening in the Keycloak admin panel as well; when SSO Sesson Max is
reached the session disappears, but the offline session is still there and the "last
refresh" time still updates. Inside the token itself we can see that it's still
connected to a client session, but we can see no sessions anymore. After looking into the
logs of Keycloak we found this error:
16:39:57,664 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-63)
RESTEASY002005: Failed executing POST /admin/realms/Myrealm/users:
org.jboss.resteasy.spi.UnauthorizedException: Bearer
at
org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:178)
at
org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:209)
at sun.reflect.GeneratedMethodAccessor511.invoke(Unknown Source)
Tracing that through the code of Keycloak we found this which seems to indicate that
there must be a valid session associated with tokens:
Starting here:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
Then to here:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
And finally here:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
Is this expected behavior? Are we misunderstanding something or in some way misusing
offline tokens?
Regards,
Scott
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user