[keycloak-dev] Why does client session expire regardless remember-me extended validity?
Ken Haendel
kschwiersch at yahoo.de
Wed Feb 13 08:15:26 EST 2019
I have a problem authenticating a spring secured web-app using keycloak
4.8.3.
If the user logs in with remember-me enabled, the user session does use
a larger SSO max life span (ssoSessionMaxLifespanRememberMe).
So far so good.
Now i want to call another secured REST-API using the KeycloakRestService.
That triggers OAuthRequestAuthenticator to verify token
(AdapterTokenVerifier.verifyTokens).
That operation fails, because the client session expired much earlier
(after ssoSessionMaxLifespan). The client session gets removed from the
client session cache
(InfinispanUserSessionProvider.removeExpiredUserSessions).
Error message of AdapterTokenVerifier.verifyTokens() is:
"ERROR RefreshableKeycloakSecurityContext Refresh token failure status:
400 {"error":"invalid_grant","error_description":"Session doesn't have
required client"}"
So, the point is: after the client session gets removed from cache (SSO
max life span) i can no longer use the refresh token to request new
tokens and call another REST-API service
using the same identity as the web-app.
Even though i have still a valid user session to use my spring app.
Expectation was: I can use refresh token within the larger time span
with remember-me enabled (SsoSessionMaxLifespanRememberMe).
Actual behaviour is: Refresh token gets useless within the shorter time
span (ssoSessionMaxLifespan)
Question: Why is the client session removed so early and not when the
user session expires? Is that expected behavoiur?
Thank you in advance,
Ken
More information about the keycloak-dev
mailing list