[keycloak-dev] Why does client session expire regardless remember-me extended validity?
Marek Posolda
mposolda at redhat.com
Wed Feb 13 10:43:20 EST 2019
We have PR open, which is related to that [1], but not sure if that PR
fixes also your issue. It seems there is nothing related to client
sessions. I am CCing Stefan in case he has some more to it.
In the meantime, if you are curious if fix works, I suggest to
cherry-pick Stefan's commit and build Keycloak and check if the
behaviour is fixed with that PR.
[1] https://github.com/keycloak/keycloak/pull/5852
Marek
On 13/02/2019 14:15, Ken Haendel wrote:
> I have a problem authenticating a spring secured web-app using keycloak
> 4.8.3.
>
> If the user logs in with remember-me enabled, the user session does use
> a larger SSO max life span (ssoSessionMaxLifespanRememberMe).
>
> So far so good.
>
> Now i want to call another secured REST-API using the KeycloakRestService.
>
> That triggers OAuthRequestAuthenticator to verify token
> (AdapterTokenVerifier.verifyTokens).
>
> That operation fails, because the client session expired much earlier
> (after ssoSessionMaxLifespan). The client session gets removed from the
> client session cache
> (InfinispanUserSessionProvider.removeExpiredUserSessions).
>
> Error message of AdapterTokenVerifier.verifyTokens() is:
>
> "ERROR RefreshableKeycloakSecurityContext Refresh token failure status:
> 400 {"error":"invalid_grant","error_description":"Session doesn't have
> required client"}"
>
>
> So, the point is: after the client session gets removed from cache (SSO
> max life span) i can no longer use the refresh token to request new
> tokens and call another REST-API service
>
> using the same identity as the web-app.
>
> Even though i have still a valid user session to use my spring app.
>
>
> Expectation was: I can use refresh token within the larger time span
> with remember-me enabled (SsoSessionMaxLifespanRememberMe).
>
> Actual behaviour is: Refresh token gets useless within the shorter time
> span (ssoSessionMaxLifespan)
>
> Question: Why is the client session removed so early and not when the
> user session expires? Is that expected behavoiur?
>
> Thank you in advance,
>
> Ken
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list