[keycloak-user] Offline Tokens Become Useless When SSO Session Max is Reached

Marek Posolda mposolda at redhat.com
Thu Jan 12 03:43:32 EST 2017


On 12/01/17 08:44, Scott Finlay wrote:
>
> Hi Marek,
>
>
> >Even after the "SSO Session Max" is reached and the "normal" session is
>
> >expired, you should be still able to see the offline session
>
>
> That's actually kind of the problem. We are able to still use the 
> offline token to refresh
>
> the access token, but that access token doesn't have any active 
> session behind it,
>
> so when we try to register a new identity with it we get a 401 back. 
> How can we make it
>
> so that refreshing also revives the session (or creates a new one)?
>
Ah, you're trying to use that accessToken to authenticate against our 
admin REST API. I can see this won't work ATM as you pointed as 
AdminRoot.authenticateRealmAdminRequest needs the active userSession.

This accessToken works fine with the REST services, which uses our 
adapter (BearerTokenRequestAuthenticator), but doesn't work for admin 
REST. Can you please create JIRA for this?

Thanks,
Marek
>
>
> Regards,
>
> Scott
>
> ------------------------------------------------------------------------
> *From:* Marek Posolda <mposolda at redhat.com>
> *Sent:* Wednesday, January 11, 2017 10:56:02 PM
> *To:* Scott Finlay; keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Offline Tokens Become Useless When SSO 
> Session Max is Reached
> Even after the "SSO Session Max" is reached and the "normal" session is
> expired, you should be still able to see the offline session (in the
> "Offline access" tab in the admin console). And also you should be still
> able to use the offline token to send the refreshToken request and issue
> new accessToken, which can then be used to access REST endpoints.
>
> Note that offline token survives even server restart.
>
> You can try to look at our demo example and try the "offline-access-app"
> application from it.
>
> Marek
>
> On 11/01/17 11:48, Scott Finlay wrote:
> > Hi,
> >
> > We have an application which creates users in Keycloak using offline 
> tokens. But we're having an issue where Keycloak returns a 401 
> (unauthorized) when we would try to make requests to it using an 
> access token generated using our offline token. After some 
> investigation we found that there exists a setting in Keycloak called 
> "SSO Session Max" which seems to be an expiration time of the session 
> itself, and after that amount of time, even if the access or refresh 
> tokens are still valid, the session is killed. We found that the 
> amount of time between when we last deployed and the first occurrence 
> of the unauthorized error was 10 hours (the same as the SSO Session 
> Max), and we tested locally with a short max time and were able to 
> reproduce the problem.
> >
> > Then we found that when we use the offline token, our code thinks 
> that the refresh token expiration time is 0 (which is to be expected 
> since it's an offline token), and when the session lifetime is 
> reached, it continues to use its "unlimited" refresh token to try to 
> generate new access tokens, and it seems that Keycloak still issues 
> new access tokens using that refresh token even though the session 
> doesn't exist, and these tokens don't work. Since Keycloak continues 
> to issue tokens and since it doesn't tell us anything about the 
> session max time, the code has no idea that the tokens are actually 
> not valid.
> >
> > We can see this happening in the Keycloak admin panel as well; when 
> SSO Sesson Max is reached the session disappears, but the offline 
> session is still there and the "last refresh" time still updates. 
> Inside the token itself we can see that it's still connected to a 
> client session, but we can see no sessions anymore. After looking into 
> the logs of Keycloak we found this error:
> >
> > 16:39:57,664 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default 
> task-63) RESTEASY002005: Failed executing POST 
> /admin/realms/Myrealm/users: 
> org.jboss.resteasy.spi.UnauthorizedException: Bearer
> >          at 
> org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:178)
> >          at 
> org.keycloak.services.resources.admin.AdminRoot.getRealmsAdmin(AdminRoot.java:209)
> >          at sun.reflect.GeneratedMethodAccessor511.invoke(Unknown 
> Source)
> >
> > Tracing that through the code of Keycloak we found this which seems 
> to indicate that there must be a valid session associated with tokens:
> >
> > Starting here: 
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java#L178
> >
> > Then to here: 
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/managers/AppAuthManager.java#L58
> >
> > And finally here: 
> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java#L731
> >
> > Is this expected behavior? Are we misunderstanding something or in 
> some way misusing offline tokens?
> >
> > Regards,
> > Scott
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>



More information about the keycloak-user mailing list