4:52 a.m.
Hello,
I am having an issue with a refresh token I have requested using scope=offline_access
becoming stale. This is with Keycloak 3.4.3 backed by a PostgreSQL database running on
OpenShift Online.
After turning on some trace logging I get the following stack trace:
[0m09:34:54,407 TRACE [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default
task-12) Stale token: org.keycloak.OAuthErrorException: Stale token
at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:185)
at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:248)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.refreshTokenGrant(TokenEndpoint.java:419)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:174)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...
Which, in the source code, seems to correspond with these lines:
if (oldToken.getIssuedAt() < session.users().getNotBeforeOfUser(realm, user)) {
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale
token");
}
https://github.com/keycloak/keycloak/blob/517588ecca8e8749c70c7a28706fc40...
My Offline Session Idle for the realm is set to 30 days which was definitely not
breached.
Can anyone tell me what the not before of the user is and how do I set its value?
6:35 p.m.
Hello Huw,
The "notBefore" user property is mapped to the NOT_BEFORE column of the
USER_ENTITY table. If you have access to the DB, please check it. Most likely this value
is non-zero for your user.
AFAIK there is no GUI option to set this directly. Upon user creation, the field is set to
zero, and there are several scenarios that can lead to a non-zero value. It needs to be
further investigated which one is the cause in your case.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Sat, 2018-10-27 at 09:52 +0000, Huw McNamara wrote:
Hello,
I am having an issue with a refresh token I have requested using scope=offline_access
becoming stale. This is with Keycloak 3.4.3 backed by a PostgreSQL database running on
OpenShift Online.
After turning on some trace logging I get the following stack trace:
[0m09:34:54,407 TRACE [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default
task-12) Stale token: org.keycloak.OAuthErrorException: Stale token
at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:185)
at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:248)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.refreshTokenGrant(TokenEndpoint.java:419)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:174)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...
Which, in the source code, seems to correspond with these lines:
if (oldToken.getIssuedAt() < session.users().getNotBeforeOfUser(realm, user)) {
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale
token");
}
https://github.com/keycloak/keycloak/blob/517588ecca8e8749c70c7a28706fc40...
My Offline Session Idle for the realm is set to 30 days which was definitely not
breached.
Can anyone tell me what the not before of the user is and how do I set its value?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
3:26 p.m.
Hi Dmitry,
Thanks for answering, you are correct. The user NOT_BEFORE is non-zero and is after the
token was issued.
After searching the code base it seems this value is set on logout, which makes sense.
Cheers,
Huw
________________________________
From: Dmitry Telegin <dt(a)acutus.pro>
Sent: 28 October 2018 23:35
To: Huw McNamara; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Refresh Token Becoming Stale because of User Not Before Date
Hello Huw,
The "notBefore" user property is mapped to the NOT_BEFORE column of the
USER_ENTITY table. If you have access to the DB, please check it. Most likely this value
is non-zero for your user.
AFAIK there is no GUI option to set this directly. Upon user creation, the field is set to
zero, and there are several scenarios that can lead to a non-zero value. It needs to be
further investigated which one is the cause in your case.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Sat, 2018-10-27 at 09:52 +0000, Huw McNamara wrote:
Hello,
I am having an issue with a refresh token I have requested using scope=offline_access
becoming stale. This is with Keycloak 3.4.3 backed by a PostgreSQL database running on
OpenShift Online.
After turning on some trace logging I get the following stack trace:
[0m09:34:54,407 TRACE [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default
task-12) Stale token: org.keycloak.OAuthErrorException: Stale token
at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:185)
at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:248)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.refreshTokenGrant(TokenEndpoint.java:419)
at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:174)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...
Which, in the source code, seems to correspond with these lines:
if (oldToken.getIssuedAt() < session.users().getNotBeforeOfUser(realm, user)) {
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale
token");
}
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub....
My Offline Session Idle for the realm is set to 30 days which was definitely not
breached.
Can anyone tell me what the not before of the user is and how do I set its value?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.j...
2245
days inactive
2247
days old
2 comments
2 participants
participants (2)
-
Dmitry Telegin -
Huw McNamara