[keycloak-dev] Why does client session expire regardless remember-me extended validity?

Ken Haendel kschwiersch at yahoo.de
Wed Feb 13 08:15:26 EST 2019

I have a problem authenticating a spring secured web-app using keycloak 

If the user logs in with remember-me enabled, the user session does use 
a larger SSO max life span (ssoSessionMaxLifespanRememberMe).

So far so good.

Now i want to call another secured REST-API using the KeycloakRestService.

That triggers OAuthRequestAuthenticator to verify token 

That operation fails, because the client session expired much earlier 
(after ssoSessionMaxLifespan). The client session gets removed from the 
client session cache 

Error message of AdapterTokenVerifier.verifyTokens() is:

"ERROR RefreshableKeycloakSecurityContext Refresh token failure status: 
400 {"error":"invalid_grant","error_description":"Session doesn't have 
required client"}"

So, the point is: after the client session gets removed from cache (SSO 
max life span) i can no longer use the refresh token to request new 
tokens and call another REST-API service

using the same identity as the web-app.

Even though i have still a valid user session to use my spring app.

Expectation was: I can use refresh token within the larger time span  
with remember-me enabled (SsoSessionMaxLifespanRememberMe).

Actual behaviour is: Refresh token gets useless within the shorter time 
span (ssoSessionMaxLifespan)

Question: Why is the client session removed so early and not when the 
user session expires? Is that expected behavoiur?

Thank you in advance,


More information about the keycloak-dev mailing list