[keycloak-dev] Why does client session expire regardless remember-me extended validity?

Stefan Guilhen sguilhen at redhat.com
Thu Feb 14 20:57:58 EST 2019


Hi Ken,

Yes, it does make sense to me to use the remember-me value for the client
session as well. Marek, WDYT? Should we open a new Jira just for this or
can I just amend the commit to include this fix too?

Stefan

On Thu, Feb 14, 2019 at 10:34 AM Ken Haendel <kschwiersch at yahoo.de> wrote:

> Hi Stefan, Marek
>
>
> Thank you for your quick reply.
>
> I have recently tested your pull request [1], if that fixes my issue with
> the expired client session cache and it does NOT. It only fixes an issue
> with the user session cache.
>
> My proposal to fix that problem would be as follows (verified here):
>
> diff --git
> a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java
> b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java
> index b1429a6391..54cb244624 100755
> ---
> a/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java
> +++
> b/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanUserSessionProvider.java
> @@ -529,7 +529,7 @@ public class InfinispanUserSessionProvider implements
> UserSessionProvider {
>          localClientSessionCacheStoreIgnore
>                  .entrySet()
>                  .stream()
> -
> .filter(AuthenticatedClientSessionPredicate.create(realm.getId()).expired(expired))
> +
> .filter(AuthenticatedClientSessionPredicate.create(realm.getId()).expired(expiredRememberMe))
>
>
> Using that change, the life span of the client session would be longer for
> remember-me logins.
>
> Can you please check if that makes sense for you?
>
> It would be nice if a fix could be added in the next releases to make it
> unnecessary to patch the further release :-)
>
> Kind regards,
>
> Ken
>
>
> [1] https://github.com/keycloak/keycloak/pull/5852
> Am 13.02.19 um 18:27 schrieb Stefan Guilhen:
>
> It is possible that Ken is seeing something different. I will take a look
> into it to be sure.
>
> Best regards,
> Stefan
>
> On Wed, Feb 13, 2019, 13:43 Marek Posolda <mposolda at redhat.com wrote:
>
>> We have PR open, which is related to that [1], but not sure if that PR
>> fixes also your issue. It seems there is nothing related to client
>> sessions. I am CCing Stefan in case he has some more to it.
>>
>> In the meantime, if you are curious if fix works, I suggest to
>> cherry-pick Stefan's commit and build Keycloak and check if the
>> behaviour is fixed with that PR.
>>
>> [1] https://github.com/keycloak/keycloak/pull/5852
>>
>> Marek
>>
>> On 13/02/2019 14:15, Ken Haendel wrote:
>> > I have a problem authenticating a spring secured web-app using keycloak
>> > 4.8.3.
>> >
>> > If the user logs in with remember-me enabled, the user session does use
>> > a larger SSO max life span (ssoSessionMaxLifespanRememberMe).
>> >
>> > So far so good.
>> >
>> > Now i want to call another secured REST-API using the
>> KeycloakRestService.
>> >
>> > That triggers OAuthRequestAuthenticator to verify token
>> > (AdapterTokenVerifier.verifyTokens).
>> >
>> > That operation fails, because the client session expired much earlier
>> > (after ssoSessionMaxLifespan). The client session gets removed from the
>> > client session cache
>> > (InfinispanUserSessionProvider.removeExpiredUserSessions).
>> >
>> > Error message of AdapterTokenVerifier.verifyTokens() is:
>> >
>> > "ERROR RefreshableKeycloakSecurityContext Refresh token failure status:
>> > 400 {"error":"invalid_grant","error_description":"Session doesn't have
>> > required client"}"
>> >
>> >
>> > So, the point is: after the client session gets removed from cache (SSO
>> > max life span) i can no longer use the refresh token to request new
>> > tokens and call another REST-API service
>> >
>> > using the same identity as the web-app.
>> >
>> > Even though i have still a valid user session to use my spring app.
>> >
>> >
>> > Expectation was: I can use refresh token within the larger time span
>> > with remember-me enabled (SsoSessionMaxLifespanRememberMe).
>> >
>> > Actual behaviour is: Refresh token gets useless within the shorter time
>> > span (ssoSessionMaxLifespan)
>> >
>> > Question: Why is the client session removed so early and not when the
>> > user session expires? Is that expected behavoiur?
>> >
>> > Thank you in advance,
>> >
>> > Ken
>> >
>> >
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>>

-- 

STEFAN GUILHEN

PRINCIPAL SOFTWARE ENGINEER

Red Hat <https://www.redhat.com/>

sguilhen at redhat.com    M: +55-11-98117-7332
<https://red.ht/sig>
@RedHat <https://twitter.com/redhat>   Red Hat
<https://www.linkedin.com/company/red-hat>   Red Hat
<https://www.facebook.com/RedHatInc>


More information about the keycloak-dev mailing list