To explain my case a bit more, what I do is:
First I get token using:
POST
https://test.vi.nl/auth/realms/vi/protocol/openid-connect/token
scope: openid
client_id: myClient
Grant_type: password
Username: username
password: password
Response_type: code
Then I save token, restart both keycloak nodes (which work in cluster)
Then I try to do:
POST
https://test.vi.nl/auth/realms/vi/protocol/openid-connect/token
scope: openid
client_id: myClient
grant_type: refresh_token
refresh_token: TOKEN
response_type: code
And that request fails with status 400 and response:
{
"error": "invalid_grant",
"error_description": "Session doesn't have required client"
}
What can I do to make that work?
Regards
Mariusz
-----Wiadomość oryginalna-----
Od: Mariusz Chruscielewski - Info.nl
Wysłano: Monday, 17 December, 2018 13:19
Do: Mariusz Chruscielewski - Info.nl <mariusz(a)info.nl>; keycloak-user
<keycloak-user(a)lists.jboss.org>
Temat: ODP: Refresh_token error after keycloak cluster restart
What I also found, during debug, is that TokenManager is able to find userSession, with
all details, but can't getAuthenticatedClientSessionByClient (line 162,
tokenManager.java)
This is what I see in debug, is that UserSessionAdapter has entity field
(UsersSessionEntity), and this Entity contains authenticatedClientSessions (with session
ID, and correct clientID). So I don't understand why this call:
userSession.getAuthenticatedClientSessionByClient(client.getId())
Is returning null. Also this:
userSession.getAuthenticatedClientSessions()
returns empty list.
Do you know, if that might be caused by some misconfiguration?
Regards
Mariusz
-----Wiadomość oryginalna-----
Od: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org> W
imieniu Mariusz Chruscielewski - Info.nl
Wysłano: Monday, 17 December, 2018 10:53
Do: keycloak-user <keycloak-user(a)lists.jboss.org>
Temat: [keycloak-user] Refresh_token error after keycloak cluster restart
Hi. We run 2 keycloak nodes, configured as cluster, with infinispan cache to keep sessions
alive after keycloak restart.
We use keycloak from 2 places, website (using Keycloak Tomcat Adapter) and from mobile
app.
Keycloak version currently used is 3.4.3
After keycloak is restarted, it all works fine on website, after attempt to use website, I
see following message in keycloak log:
2018-12-17 09:23:49,814 WARN [org.keycloak.events] (default task-3)
type=REFRESH_TOKEN_ERROR, realmId=vi, clientId=vinl,
userId=55aaa7ad-d4f9-40c1-af1a-c5c2baa4efe5, ipAddress=172.23.11.105, error=invalid_token,
grant_type=refresh_token, refresh_token_type=Refresh,
refresh_token_id=9f1a1f58-77b8-4823-8e3c-1d6a8c58b870, client_auth_method=client-secret
2018-12-17 09:23:49,935 DEBUG [org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint]
(default task-4) PKCE non-supporting Client
2018-12-17 09:23:49,950 DEBUG [org.keycloak.protocol.AuthorizationEndpointBase] (default
task-4) Sent request to authz endpoint. We don't have root authentication session with
ID '60e3ed59-191a-416b-bc95-c77c684d8855' but we have userSession.Re-created root
authentication session with same ID. Client is: vinl . New authentication session tab ID:
4FyAEpyxlE0
2018-12-17 09:23:49,986 DEBUG [org.keycloak.protocol.oidc.TokenManager] (default task-4)
Using full scope for client
2018-12-17 09:23:50,121 INFO [org.keycloak.services] (default task-4) [BROWSER] LOGIN
Viafoura session table is not updated because it's identical:
[vi_ef3920ff8a625b187a7e04a2f6328aafde805fd05148ea457eebef9d5f6005a97dd7c46e16ff265591a0c9ba98547353_60e3ed59-191a-416b-bc95-c77c684d8855]
user [mariusz(a)info.nl] on [Mon Dec 17 09:23:50 CET 2018]
2018-12-17 09:23:50,145 DEBUG [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default
task-4) redirectAccessCode: state: c196bdca-a896-4880-9ab0-d2e96e85cf3a
For app, flow is:
* User log in using browser view, on keycloak login page
* Token and refreshToken are stored in app
After keycloak is restarted, app tries to refresh token, and gets:
2018-12-17 10:08:37,717 WARN [org.keycloak.events] (default task-11)
type=REFRESH_TOKEN_ERROR, realmId=vi, clientId=vinl,
userId=1d8e3db1-9976-48d6-af7e-02aa6ed126dc, ipAddress=92.67.76.89, error=invalid_token,
grant_type=refresh_token, refresh_token_type=Refresh,
refresh_token_id=869ddaec-b68a-4695-9f88-222852a302fe, client_auth_method=client-secret
Response from REST call is:
{
"error": "invalid_grant",
"error_description": "Session doesn't have required client"
}
Can you please help me to solve that issue?
Regards
Mariusz
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user