[keycloak-dev] [KEYCLOAK-9870] - Gatekeeper renewal does not renew refresh tokens

Bruno Oliveira bruno at abstractj.org
Thu Jun 27 14:10:09 EDT 2019


Thank you Pedro, that helps. Now it's clear what is expected from "Refresh Token Max Reuse" when 0 is set.

On 2019-06-27, Pedro Igor Silva wrote:
> It seems to be a bug. The first time you refresh, refresh count is 0, the
> second time is 1, which is expected to fail. You should be able to continue
> refreshing tokens if you are using the last RT obtained from the server.
> 
> If you look docs, this is basically a security layer to deal with
> compromised RTs.
> 
> On Thu, Jun 27, 2019 at 1:58 PM Bruno Oliveira <bruno at abstractj.org> wrote:
> 
> > Some time ago we got a bug report for Gatekeeper related with refresh
> > token revocation[1]. Here are the steps to reproduce:
> >
> > "In keycloak, menu Tokens, set "revoke refresh token" to ON with value
> > set to 0.  This means refresh token can be used only once.
> >
> > Gain access with a session through keycloak-gatekeeper, wait token
> > expiry, try calling a resource: this works.  Now wait again for a second
> > token expiry.  try calling a resource: failure - the refresh token has
> > expired"
> >
> > >From my perspective, it looks like the expected behavior and not a bug.
> > If the access token has expired in the first time, the refresh token was
> > used to obtain a new one and request access to the resource. So in the
> > second request, failure should be expected.
> >
> > So it's better to ask. What is the expected behavior when "revoke
> > refresh token" is set to 0 from the adapters? I tried to look at our docs,
> > but couldn't find anything.
> >
> > [1] - https://issues.jboss.org/browse/KEYCLOAK-9870
> >
> > --
> >
> > abstractj
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >

-- 

abstractj


More information about the keycloak-dev mailing list