[keycloak-dev] Why does client session expire regardless remember-me extended validity?
Stefan Guilhen
sguilhen at redhat.com
Wed Feb 13 12:27:15 EST 2019
It is possible that Ken is seeing something different. I will take a look
into it to be sure.
Best regards,
Stefan
On Wed, Feb 13, 2019, 13:43 Marek Posolda <mposolda at redhat.com wrote:
> We have PR open, which is related to that [1], but not sure if that PR
> fixes also your issue. It seems there is nothing related to client
> sessions. I am CCing Stefan in case he has some more to it.
>
> In the meantime, if you are curious if fix works, I suggest to
> cherry-pick Stefan's commit and build Keycloak and check if the
> behaviour is fixed with that PR.
>
> [1] https://github.com/keycloak/keycloak/pull/5852
>
> Marek
>
> On 13/02/2019 14:15, Ken Haendel wrote:
> > I have a problem authenticating a spring secured web-app using keycloak
> > 4.8.3.
> >
> > If the user logs in with remember-me enabled, the user session does use
> > a larger SSO max life span (ssoSessionMaxLifespanRememberMe).
> >
> > So far so good.
> >
> > Now i want to call another secured REST-API using the
> KeycloakRestService.
> >
> > That triggers OAuthRequestAuthenticator to verify token
> > (AdapterTokenVerifier.verifyTokens).
> >
> > That operation fails, because the client session expired much earlier
> > (after ssoSessionMaxLifespan). The client session gets removed from the
> > client session cache
> > (InfinispanUserSessionProvider.removeExpiredUserSessions).
> >
> > Error message of AdapterTokenVerifier.verifyTokens() is:
> >
> > "ERROR RefreshableKeycloakSecurityContext Refresh token failure status:
> > 400 {"error":"invalid_grant","error_description":"Session doesn't have
> > required client"}"
> >
> >
> > So, the point is: after the client session gets removed from cache (SSO
> > max life span) i can no longer use the refresh token to request new
> > tokens and call another REST-API service
> >
> > using the same identity as the web-app.
> >
> > Even though i have still a valid user session to use my spring app.
> >
> >
> > Expectation was: I can use refresh token within the larger time span
> > with remember-me enabled (SsoSessionMaxLifespanRememberMe).
> >
> > Actual behaviour is: Refresh token gets useless within the shorter time
> > span (ssoSessionMaxLifespan)
> >
> > Question: Why is the client session removed so early and not when the
> > user session expires? Is that expected behavoiur?
> >
> > Thank you in advance,
> >
> > Ken
> >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
More information about the keycloak-dev
mailing list