[keycloak-user] Refesh token error

Göttlich, Thomas thomas.goettlich at it-informatik.de
Wed Jun 21 09:43:36 EDT 2017 

Hi,

I basically did what I described in this issue I posted: https://issues.jboss.org/browse/KEYCLOAK-4820
(I unfortunately didn’t have time to prepare the pull request as well as the test yet.)

The main part is extending FilterRequestAuthenticator and overwriting changeHttpSessionId() as follows:

protected String changeHttpSessionId( boolean pCreate )
  {
    HttpSession session = request.getSession( false );
    if( session != null )
    {
      session.invalidate();
    }

    return super.changeHttpSessionId( pCreate );
  }

To use the custom authenticator we then had to subclass KeycloakOIDCFilter and copy doFilter() along with a few other methods because the original doFilter() contains this line:

FilterRequestAuthenticator authenticator = new FilterRequestAuthenticator(deployment, tokenStore, facade, request, 8443);

In our copy of doFilter() we only changed that line to get an instance of our custom authenticator.


Mit freundlichen Grüßen

i. A. Thomas Göttlich
-------------------------------------------------------------
Entwicklung factor:plus
+49 (0)731 / 9 35 42 -301
thomas.goettlich at it-informatik.de<mailto:thomas.goettlich at it-informatik.de>
-------------------------------------------------------------
IT-Informatik GmbH
Magirus-Deutz-Straße 17, 89077 Ulm
Fax: +49 (0)731 / 9 35 42 - 130
www.it-informatik.de<http://www.it-informatik.de/>
-------------------------------------------------------------
Amtsgericht Ulm: HRB 2662
Sitz der Gesellschaft: Ulm
USt-IdNr.: DE 145567338
Geschäftsführender Gesellschafter: Günter Nägele

Von: Thomas Darimont [mailto:thomas.darimont at googlemail.com]
Gesendet: Mittwoch, 21. Juni 2017 15:14
An: Göttlich, Thomas <thomas.goettlich at it-informatik.de>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Betreff: Re: [keycloak-user] Refesh token error

Hi Thomas,

Great you figured this out.

Would you mind elaborating a bit about  what you did with respect to session fixation prevention?

Cheers,
Thomas


Am 21.06.2017 2:55 nachm. schrieb "Göttlich, Thomas" <thomas.goettlich at it-informatik.de<mailto:thomas.goettlich at it-informatik.de>>:
Never mind, I found the problem (at least I think I did):

-          SSO session idle: 1 minute
-          Access token lifespan: 1 minute
When the access token has timed out and the application needs to refresh it the sso session has also timed out already, hence the error.
Setting SSO session idle to 2 minutes or more fixes the issue.

Mit freundlichen Grüßen

i. A. Thomas Göttlich
-------------------------------------------------------------
Entwicklung factor:plus
+49 (0)731 / 9 35 42 -301<tel:%2B49%20%280%29731%20%2F%209%2035%2042%20-301>
thomas.goettlich at it-informatik.de<mailto:thomas.goettlich at it-informatik.de>
-------------------------------------------------------------
IT-Informatik GmbH
Magirus-Deutz-Straße 17, 89077 Ulm
Fax: +49 (0)731 / 9 35 42 - 130<tel:%2B49%20%280%29731%20%2F%209%2035%2042%20-%20130>
www.it-informatik.de<http://www.it-informatik.de>
-------------------------------------------------------------
Amtsgericht Ulm: HRB 2662
Sitz der Gesellschaft: Ulm
USt-IdNr.: DE 145567338
Geschäftsführender Gesellschafter: Günter Nägele

-----Ursprüngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> [mailto:keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>] Im Auftrag von Göttlich, Thomas
Gesendet: Mittwoch, 21. Juni 2017 13:14
An: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Betreff: [keycloak-user] Refesh token error

Hi there,

we're currently integrating two Java server applications via Keycloak and use a subclass of KeycloakOIDCFilter on the client side.
The subclassing is done mainly to facilitate configuration (which is loaded from the database) as well as some adjustments on session fixation prevention and login redirect handling.

It works well so far, with one exception: when the access token times out and needs to be refreshed, we get the following error:


-          Client: [org.keycloak.adapters.RefreshableKeycloakSecurityContext] Refresh token failure status: 400 {"error":"invalid_grant","error_description":"Refresh token expired"}

-          Keycloak: [org.keycloak.events] type=REFRESH_TOKEN_ERROR, realmId=our_realm, clientId=our_client, userId=null, ipAddress=127.0.0.1, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret

So far I could verify that the refresh token is not null so it seems to either be invalid or the request is faulty.

For testing purposes we have set the following timeouts:


-          SSO session idle: 1 minute

-          SSO session max: 10 hours

-          Access token lifespan: 1 minute

-          Access token lifespan for implicit flow: 1 minute

The client has the following settings:


-          Only standard flow enabled

-          Access type: confidential

-          Client protocol: openid-connect

Any idea what could cause that error or where we should look at?

Thanks in advance,

Thomas
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list