[keycloak-dev] [KEYCLOAK-9870] - Gatekeeper renewal does not renew refresh tokens

[Pedro Igor Silva]

It seems to be a bug. The first time you refresh, refresh count is 0, the
second time is 1, which is expected to fail. You should be able to continue
refreshing tokens if you are using the last RT obtained from the server.

If you look docs, this is basically a security layer to deal with
compromised RTs.

On Thu, Jun 27, 2019 at 1:58 PM Bruno Oliveira <bruno at abstractj.org> wrote:

> Some time ago we got a bug report for Gatekeeper related with refresh
> token revocation[1]. Here are the steps to reproduce:
>
> "In keycloak, menu Tokens, set "revoke refresh token" to ON with value
> set to 0.  This means refresh token can be used only once.
>
> Gain access with a session through keycloak-gatekeeper, wait token
> expiry, try calling a resource: this works.  Now wait again for a second
> token expiry.  try calling a resource: failure - the refresh token has
> expired"
>
> >From my perspective, it looks like the expected behavior and not a bug.
> If the access token has expired in the first time, the refresh token was
> used to obtain a new one and request access to the resource. So in the
> second request, failure should be expected.
>
> So it's better to ask. What is the expected behavior when "revoke
> refresh token" is set to 0 from the adapters? I tried to look at our docs,
> but couldn't find anything.
>
> [1] - https://issues.jboss.org/browse/KEYCLOAK-9870
>
> --
>
> abstractj
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>