[keycloak-user] Unable To Use Refresh Token

Hynek Mlnarik hmlnarik at redhat.com
Tue Mar 7 09:20:37 EST 2017


Depending on your setup, you should be using either standalone-ha.xml
or standalone-full-ha.xml to run in cluster.

--Hynek

On Tue, Mar 7, 2017 at 2:52 PM, Sagar Ahire
<sagarahire at arvindinternet.com> wrote:
> I'm using the standard keycloak 2.4.0 docker image, I modified the
> standalone.xml in docker file. I've increased owners count to 4. following
> are the tags I changed in *standalone.xml*.
> <distributed-cache name="sessions" mode="SYNC" owners="4"/>
> <distributed-cache name="offlineSessions" mode="SYNC" owners="4"/>
> <distributed-cache name="loginFailures" mode="SYNC" owners="4"/>
> <distributed-cache name="authorization" mode="SYNC" owners="4"/>
>
> But still facing the same issue. Is standalone.xml the correct file I need
> to change? or I'm missing something here.
>
>
> regards,
>  -Sagar
>
> On Mon, Mar 6, 2017 at 7:31 PM, Andrew Zenk <azenk at umn.edu> wrote:
>
>> Have you increased the owner count for the various caches to something
>> greater than 1?
>>
>> On Mar 6, 2017 7:56 AM, "Sagar Ahire" <sagarahire at arvindinternet.com>
>> wrote:
>>
>>> Hello,
>>>
>>> I've deployed keyclock 2.4.0 in a kubernetes environment. While refreshing
>>> the access token I'm getting following response.
>>> {'error': 'invalid_grant', 'error_description': 'Client session not
>>> active'}.
>>>
>>> Here is what I did:
>>> Step1: First, I generated three access tokens and refresh tokens
>>> (rf1,rf2,rf3), then I used this refresh_tokens to refresh the access
>>> tokens. I got the access tokens successfully for all three requests.
>>> (Successful scenario)
>>>
>>> Step2: I restarted some of the pods from the keyclock cluster, I tried to
>>> refresh the access tokens using the same refresh tokens(rf1,rf2,rf3)
>>> again,
>>> using rf1 I could refresh the access token but using rf2,rf3 I got the
>>> response mentioned above ('client session not active'). I made sure rf2
>>> and
>>> rf3 are not expired.
>>>
>>> I'm unable to use refresh token even though it is not expired. I suspect
>>> session created on one pod is not properly shared between all the members
>>> of a cluster and I'm loosing the session if one of my pod is restarted or
>>> goes down.
>>>
>>> Can someone please suggest any solution for this? Any help would be
>>> greatly
>>> appreciated.
>>>
>>>
>>>
>>>
>>> regards,
>>>  -Sagar
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 

--Hynek


More information about the keycloak-user mailing list