6:14 a.m.
Hi there,
we're currently integrating two Java server applications via Keycloak and use a
subclass of KeycloakOIDCFilter on the client side.
The subclassing is done mainly to facilitate configuration (which is loaded from the
database) as well as some adjustments on session fixation prevention and login redirect
handling.
It works well so far, with one exception: when the access token times out and needs to be
refreshed, we get the following error:
- Client: [org.keycloak.adapters.RefreshableKeycloakSecurityContext] Refresh
token failure status: 400
{"error":"invalid_grant","error_description":"Refresh
token expired"}
- Keycloak: [org.keycloak.events] type=REFRESH_TOKEN_ERROR, realmId=our_realm,
clientId=our_client, userId=null, ipAddress=127.0.0.1, error=invalid_token,
grant_type=refresh_token, client_auth_method=client-secret
So far I could verify that the refresh token is not null so it seems to either be invalid
or the request is faulty.
For testing purposes we have set the following timeouts:
- SSO session idle: 1 minute
- SSO session max: 10 hours
- Access token lifespan: 1 minute
- Access token lifespan for implicit flow: 1 minute
The client has the following settings:
- Only standard flow enabled
- Access type: confidential
- Client protocol: openid-connect
Any idea what could cause that error or where we should look at?
Thanks in advance,
Thomas
7:28 a.m.
Never mind, I found the problem (at least I think I did):
- SSO session idle: 1 minute
- Access token lifespan: 1 minute
When the access token has timed out and the application needs to refresh it the sso
session has also timed out already, hence the error.
Setting SSO session idle to 2 minutes or more fixes the issue.
Mit freundlichen Grüßen
i. A. Thomas Göttlich
-------------------------------------------------------------
Entwicklung factor:plus
+49 (0)731 / 9 35 42 -301
thomas.goettlich(a)it-informatik.de
-------------------------------------------------------------
IT-Informatik GmbH
Magirus-Deutz-Straße 17, 89077 Ulm
Fax: +49 (0)731 / 9 35 42 - 130
www.it-informatik.de
-------------------------------------------------------------
Amtsgericht Ulm: HRB 2662
Sitz der Gesellschaft: Ulm
USt-IdNr.: DE 145567338
Geschäftsführender Gesellschafter: Günter Nägele
-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
Im Auftrag von Göttlich, Thomas
Gesendet: Mittwoch, 21. Juni 2017 13:14
An: keycloak-user(a)lists.jboss.org
Betreff: [keycloak-user] Refesh token error
Hi there,
we're currently integrating two Java server applications via Keycloak and use a
subclass of KeycloakOIDCFilter on the client side.
The subclassing is done mainly to facilitate configuration (which is loaded from the
database) as well as some adjustments on session fixation prevention and login redirect
handling.
It works well so far, with one exception: when the access token times out and needs to be
refreshed, we get the following error:
- Client: [org.keycloak.adapters.RefreshableKeycloakSecurityContext] Refresh
token failure status: 400
{"error":"invalid_grant","error_description":"Refresh
token expired"}
- Keycloak: [org.keycloak.events] type=REFRESH_TOKEN_ERROR, realmId=our_realm,
clientId=our_client, userId=null, ipAddress=127.0.0.1, error=invalid_token,
grant_type=refresh_token, client_auth_method=client-secret
So far I could verify that the refresh token is not null so it seems to either be invalid
or the request is faulty.
For testing purposes we have set the following timeouts:
- SSO session idle: 1 minute
- SSO session max: 10 hours
- Access token lifespan: 1 minute
- Access token lifespan for implicit flow: 1 minute
The client has the following settings:
- Only standard flow enabled
- Access type: confidential
- Client protocol: openid-connect
Any idea what could cause that error or where we should look at?
Thanks in advance,
Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2758
days inactive
2758
days old
1 comments
1 participants
participants (1)
-
Göttlich, Thomas