[keycloak-dev] Why does client session expire regardless remember-me extended validity?

Marek Posolda mposolda at redhat.com
Wed Feb 13 10:43:20 EST 2019

We have PR open, which is related to that [1], but not sure if that PR 
fixes also your issue. It seems there is nothing related to client 
sessions. I am CCing Stefan in case he has some more to it.

In the meantime, if you are curious if fix works, I suggest to 
cherry-pick Stefan's commit and build Keycloak and check if the 
behaviour is fixed with that PR.

[1] https://github.com/keycloak/keycloak/pull/5852


On 13/02/2019 14:15, Ken Haendel wrote:
> I have a problem authenticating a spring secured web-app using keycloak
> 4.8.3.
> If the user logs in with remember-me enabled, the user session does use
> a larger SSO max life span (ssoSessionMaxLifespanRememberMe).
> So far so good.
> Now i want to call another secured REST-API using the KeycloakRestService.
> That triggers OAuthRequestAuthenticator to verify token
> (AdapterTokenVerifier.verifyTokens).
> That operation fails, because the client session expired much earlier
> (after ssoSessionMaxLifespan). The client session gets removed from the
> client session cache
> (InfinispanUserSessionProvider.removeExpiredUserSessions).
> Error message of AdapterTokenVerifier.verifyTokens() is:
> "ERROR RefreshableKeycloakSecurityContext Refresh token failure status:
> 400 {"error":"invalid_grant","error_description":"Session doesn't have
> required client"}"
> So, the point is: after the client session gets removed from cache (SSO
> max life span) i can no longer use the refresh token to request new
> tokens and call another REST-API service
> using the same identity as the web-app.
> Even though i have still a valid user session to use my spring app.
> Expectation was: I can use refresh token within the larger time span
> with remember-me enabled (SsoSessionMaxLifespanRememberMe).
> Actual behaviour is: Refresh token gets useless within the shorter time
> span (ssoSessionMaxLifespan)
> Question: Why is the client session removed so early and not when the
> user session expires? Is that expected behavoiur?
> Thank you in advance,
> Ken
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list