offline token issue - critical - keycloak-user

Friday, 12 April 2019

Hi,
We were using keycloak 1.9.8 and now upgrading to keycloak 4.8.2.
I am facing a blocker issue with respect to refreshing offline tokens.
I have opened a ticket, https://issues.jboss.org/browse/KEYCLOAK-10029
I appreciate if anyone faced the similar issue.
Details repeated below:

We have been using keycloak for our authentication process.
We generate offline token using response_type as code and exchange code for token. Our
client refreshes it when access token expires.
What is observed is, all the offline tokens generated in 1.9.8 keycloak are not as
expected after upgrading to 4.8.2 version. They are assigned expires_in to session idle
time and subsequent refresh fails with Session Not Active. The issue is impairing our
release which is round the corner. Specific details below:

With 1.9.8 keycloak:
1) User logs in with the following url:
https://<keycloak
url>/auth/realms/<realm>/protocol/openid-connect/auth?client_id=<client_id>&redirect_uri=<redirect_url>&response_type=code&scope=offline_access
2) When the code is returned, it is exchanged for token using:
curl -s --request POST --header "Content-Type: application/x-www-form-urlencoded;
charset=UTF-8" --data
"client_id=<client_id>&client_secret=<client_secret>&redirect_uri=<redirection
url>&grant_type=authorization_code&code=<code>"
"https://<keycloak
url>/auth/realms/<realm>/protocol/openid-connect/token"
Sample response:
{"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI2YjJkNThhNC05NjZkLTQ0NTAtOWZmOC0wMmZkNzI3MjUyNTUiLCJleHAiOjE1NTQ5NTg1ODksIm5iZiI6MCwiaWF0IjoxNTU0OTU3Njg5LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJDTVhfQXBwIiwic3ViIjoiNzg1YTlkZmMtNjI4MS00MmVlLThhNTMtZmY3YzUxZDQ4OGE4IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiQ01YX0FwcCIsInNlc3Npb25fc3RhdGUiOiI4NDljNWVkOS02YzQ3LTRjM2MtOTNiMi01MDc2Y2FkODM0ZTYiLCJjbGllbnRfc2Vzc2lvbiI6ImJiZGZiYWU0LTA4YzEtNDY5Ni1iYmJhLTRkNWQxNDdhNGRiZiIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vbG9jYWxob3N0OjE2Mzg5Il0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiQWRtaW4iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1aWQ9ODIzNjUxZGYtNTQzNi00MDcwLWE5MDEtYmE1OGM5OTc2ZWYyLG91PXVzZXJzLG89aGV3bGV0dC1wYWNrYXJkLG91PXBhcnRuZXJzLGRjPWhld2xldHQtcGFja2FyZCxkYz1ocCxkYz1jb20iLCJmYW1pbHlfbmFtZSI6IkFkbWluIiwiZW1haWwiOiJocGNvbm5lY3RlZHN5bmNhZG1pbkBocC5jb20ifQ.Tul3RCempI7aevTh7SqNODSWRS9c6KgT9FbGsulCE90xUdbDE7X_50OV1n9QBtQZH160b8AKbf1BkRGqZtbGWkXWCEvUCY-iyrovtKt-3SsGedpfD-0tEfvd53FgTrxwH8i9DxvRzOIknIDZGcCz39gYokVC-bDnyZynEpMFD1ZRPnS9fSY_S07NmeSakWPD4iF4W_09AGloZb9T5k2denRVrpIEVzoKF6lrP2U98WqvWxnJC8r-l6zZPNsThDcYiZmdOSxrmvQFYmzpaOAShX4Ad6b9vAk7Ri_6lazb3ESBgv2GSnBSRmLSpDcQBWR-qvlqVRpWLDPDCtnICFCfcw","expires_in":900,"refresh_expires_in":0,"refresh_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzYzlmZjgxNi00YWY3LTQyOGEtOWVhZS1lMWJiYTdiYmZmN2MiLCJleHAiOjAsIm5iZiI6MCwiaWF0IjoxNTU0OTU3Njg5LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJDTVhfQXBwIiwic3ViIjoiNzg1YTlkZmMtNjI4MS00MmVlLThhNTMtZmY3YzUxZDQ4OGE4IiwidHlwIjoiT2ZmbGluZSIsImF6cCI6IkNNWF9BcHAiLCJzZXNzaW9uX3N0YXRlIjoiODQ5YzVlZDktNmM0Ny00YzNjLTkzYjItNTA3NmNhZDgzNGU2IiwiY2xpZW50X3Nlc3Npb24iOiJiYmRmYmFlNC0wOGMxLTQ2OTYtYmJiYS00ZDVkMTQ3YTRkYmYiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fX0.aXcghpPA7H7O_KA3uUjxWr5fGvCsPV9uHdVaH5yTJ88p8Y1zhO8l6kGmTO_lYZs9_acKE6CL99kJUtNq_x42YbQEYic8aKTm5Muv41pBznSvTpE0sEn7GmdqMTLA-bCedsCcBDpEOcOJGVT-GfO9iiFYzdKBszUfDCGFPfJrF1NVUy-An7VLz4aJUur2ERu2zMGWj6Edq6go9fAJ6MJRVfT8OWvxgtt-08RpIf8Tsfx0XLIFeCT0kqzGzffadgDrNG_fL8hnODrCRVZ2qV6WAbH7cgpF1zcAsY8NQW0yvuB0hQU3i4pM_ibt-EuLeFSX05SF43PxsVnmhf-ZPBjk4A","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI0ZTBjYjc5My03MzI4LTRlNTMtYjUxYy04NTg1OTQzMDNlMWEiLCJleHAiOjE1NTQ5NTg1ODksIm5iZiI6MCwiaWF0IjoxNTU0OTU3Njg5LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJDTVhfQXBwIiwic3ViIjoiNzg1YTlkZmMtNjI4MS00MmVlLThhNTMtZmY3YzUxZDQ4OGE4IiwidHlwIjoiSUQiLCJhenAiOiJDTVhfQXBwIiwic2Vzc2lvbl9zdGF0ZSI6Ijg0OWM1ZWQ5LTZjNDctNGMzYy05M2IyLTUwNzZjYWQ4MzRlNiIsIm5hbWUiOiJBZG1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6InVpZD04MjM2NTFkZi01NDM2LTQwNzAtYTkwMS1iYTU4Yzk5NzZlZjIsb3U9dXNlcnMsbz1oZXdsZXR0LXBhY2thcmQsb3U9cGFydG5lcnMsZGM9aGV3bGV0dC1wYWNrYXJkLGRjPWhwLGRjPWNvbSIsImZhbWlseV9uYW1lIjoiQWRtaW4iLCJlbWFpbCI6ImhwY29ubmVjdGVkc3luY2FkbWluQGhwLmNvbSJ9.rvlNPmsGd0d57yGtbnmCubF3ctXnyP__lTzTdH08GhJptht0iC7CKTwuXWUfmPHN98iu8cxLyWkqOQ50obcNGOpzZXPQDTx-FW2zcyAVd6sQJxZRtOfJjGAetGaXK1s4BaJr1kwl6jmbVeslggtAAxFGCeIlGUO3zu6Qc0MhfLjOGlmUbno2tI4lAFLWkcp1LQ4vrUx5qS9Jcvs3Y2q5j-l2_XaZTLmCRVpCaWRcay9idLgIJb-yDi1r5RMv36614yTQc8pbf1eawfYp4dN1cO6ldXKG9LfWNbVj8MyD_r9Z3tZlS2fgbAzuHVIcI7BL7HlWE2Rn8uUNGkLfUKZF4w","not-before-policy":1439992645,"session_state":"849c5ed9-6c47-4c3c-93b2-5076cad834e6"}
3) Keycloak is upgraded to 4.8.2.
4) What is seen in the admin console, is above generated offline tokens are refreshed
during upgrade when looked at the last refresh times
5) The offline refresh token is now refreshed with below api after upgrade:
curl -s --request POST --header "Content-Type: application/x-www-form-urlencoded;
charset=UTF-8" --data
"client_id=<client_id>&client_secret=<client_secret>&grant_type=refresh_token&refresh_token=<refresh_token>"
"https://<keycloak
url>/auth/realms/<realm>/protocol/openid-connect/token"
Sample response after upgrade:
{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJUVElxeHVSa3NjSG4zYlNYQ19CUldtTFdlUUdJc3dYMGVKM3BBTlhuODdRIn0.eyJqdGkiOiJkNmQ0ZjU3OS1kMTQwLTRkZjItOWRkMy04ZGE4NDUwMGRjMmYiLCJleHAiOjE1NTQ5NTkxNDYsIm5iZiI6MCwiaWF0IjoxNTU0OTU4MjQ2LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNzg1YTlkZmMtNjI4MS00MmVlLThhNTMtZmY3YzUxZDQ4OGE4IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiQ01YX0FwcCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6Ijg0OWM1ZWQ5LTZjNDctNGMzYy05M2IyLTUwNzZjYWQ4MzRlNiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDoxNjM4OSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6IiIsIm5hbWUiOiJBZG1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6InVpZD04MjM2NTFkZi01NDM2LTQwNzAtYTkwMS1iYTU4Yzk5NzZlZjIsb3U9dXNlcnMsbz1oZXdsZXR0LXBhY2thcmQsb3U9cGFydG5lcnMsZGM9aGV3bGV0dC1wYWNrYXJkLGRjPWhwLGRjPWNvbSIsImZhbWlseV9uYW1lIjoiQWRtaW4iLCJlbWFpbCI6ImhwY29ubmVjdGVkc3luY2FkbWluQGhwLmNvbSJ9.i3lEED2K_lVQk3FYDF4GaQlf0esT5iS-eP6vDKzucx9LEgHJy-ZHc4h6KhSlBoLzkFcX8zhecZq2FY69KQQZo_QdTQP3Ja8Pv1CAPRbUx8BZF1PhCmdfs6NFZmxmKSwMHwTSkFTIImbfGguMLHZexYsQ9bYNMX-ZnxlNKL1Uz25RrFAD2YYl06d_No8ojfti7KGamDjeuWK_nW-Vgy_i-6MikVbmeANj4VUEx91Ba1xlpZaGAEqC9qri90Vbr9jRo9x803G76uGsjI8D6ROSTUl2TkfoC1d9H-4KvwBrLaRBL2g-RqE9VnRL9xq5alQXiDFRzL0b7KnSqNRUT0siyw","expires_in":900,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI5N2Y5OTEyNS1kOTdlLTRhY2EtYTVmMS1mMGVlNjAwYTVmOTYifQ.eyJqdGkiOiJiMGFiNjE5MS01ZWVmLTQ0OTAtYmYzMS04OTFiMDg2Mjk1NzQiLCJleHAiOjE1NTQ5NjAwNDYsIm5iZiI6MCwiaWF0IjoxNTU0OTU4MjQ2LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJzdWIiOiI3ODVhOWRmYy02MjgxLTQyZWUtOGE1My1mZjdjNTFkNDg4YTgiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiQ01YX0FwcCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6Ijg0OWM1ZWQ5LTZjNDctNGMzYy05M2IyLTUwNzZjYWQ4MzRlNiIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiIn0.qbL9akZtOrPK-a54A1qTbbCymaxrn2lpX21f_M_PMbQ","token_type":"bearer","not-before-policy":1439992645,"session_state":"849c5ed9-6c47-4c3c-93b2-5076cad834e6","scope":""}
6) As can be seen above, the new refresh token is now expiring in 1800 sec which is the
sso session idle time that I set to my session tokens. Whereas before upgrade these tokens
has expires in as 0. And also scope is empty. This scope was not present before the
upgrade.
7) At this time when I see the admin console I see that offline session token shows last
refresh as the one that I did after upgrade.
8) Now when I refresh this newly generated token, I get the below error:
{"error":"invalid_grant","error_description":"Session
not active"}
9) But I still see those offline session token in the table and console.
10) On the other hand, I do not see this issue with any new offline session tokens created
after upgrading to 4.8.2.
So what is happening after the upgrade that these old offline tokens are not treated as
offline though they are in the offline session table.
Do we have to do anything as a part of upgrade? All we do is pointing keycloak 4.8.2 to
the 1.9.8 DB and it takes care of upgrading the database.

Thx
-Sulakshana

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

offline token issue - critical