[keycloak-user] Unable To Use Refresh Token

Andrew Zenk azenk at umn.edu
Thu Mar 9 01:20:08 EST 2017


Beyond looking at debug log output, is there a way to check on the health
of the cache?  It would be useful here.  I know there's a feature request
open for a health endpoint but, to my knowledge, it hasn't been worked on
yet.  Ideally I'd like to be able to verify that all nodes are joined to
the cluster and that all data has been replicated/balanced appropriately.

Anyway, if you turn up logging a bit you should see some output from one of
the jgroups packages showing the current cluster members.  I've been using
the kube_ping module successfully for discovery on openshift.

On Wed, Mar 8, 2017 at 11:41 PM, Sagar Ahire <sagarahire at arvindinternet.com>
wrote:

> I tried with standalone-ha.xml, still facing the same issue.
>
> regards,
>  -Sagar
>
> On Tue, Mar 7, 2017 at 7:50 PM, Hynek Mlnarik <hmlnarik at redhat.com> wrote:
>
>> Depending on your setup, you should be using either standalone-ha.xml
>> or standalone-full-ha.xml to run in cluster.
>>
>> --Hynek
>>
>> On Tue, Mar 7, 2017 at 2:52 PM, Sagar Ahire
>> <sagarahire at arvindinternet.com> wrote:
>> > I'm using the standard keycloak 2.4.0 docker image, I modified the
>> > standalone.xml in docker file. I've increased owners count to 4.
>> following
>> > are the tags I changed in *standalone.xml*.
>> > <distributed-cache name="sessions" mode="SYNC" owners="4"/>
>> > <distributed-cache name="offlineSessions" mode="SYNC" owners="4"/>
>> > <distributed-cache name="loginFailures" mode="SYNC" owners="4"/>
>> > <distributed-cache name="authorization" mode="SYNC" owners="4"/>
>> >
>> > But still facing the same issue. Is standalone.xml the correct file I
>> need
>> > to change? or I'm missing something here.
>> >
>> >
>> > regards,
>> >  -Sagar
>> >
>> > On Mon, Mar 6, 2017 at 7:31 PM, Andrew Zenk <azenk at umn.edu> wrote:
>> >
>> >> Have you increased the owner count for the various caches to something
>> >> greater than 1?
>> >>
>> >> On Mar 6, 2017 7:56 AM, "Sagar Ahire" <sagarahire at arvindinternet.com>
>> >> wrote:
>> >>
>> >>> Hello,
>> >>>
>> >>> I've deployed keyclock 2.4.0 in a kubernetes environment. While
>> refreshing
>> >>> the access token I'm getting following response.
>> >>> {'error': 'invalid_grant', 'error_description': 'Client session not
>> >>> active'}.
>> >>>
>> >>> Here is what I did:
>> >>> Step1: First, I generated three access tokens and refresh tokens
>> >>> (rf1,rf2,rf3), then I used this refresh_tokens to refresh the access
>> >>> tokens. I got the access tokens successfully for all three requests.
>> >>> (Successful scenario)
>> >>>
>> >>> Step2: I restarted some of the pods from the keyclock cluster, I
>> tried to
>> >>> refresh the access tokens using the same refresh tokens(rf1,rf2,rf3)
>> >>> again,
>> >>> using rf1 I could refresh the access token but using rf2,rf3 I got the
>> >>> response mentioned above ('client session not active'). I made sure
>> rf2
>> >>> and
>> >>> rf3 are not expired.
>> >>>
>> >>> I'm unable to use refresh token even though it is not expired. I
>> suspect
>> >>> session created on one pod is not properly shared between all the
>> members
>> >>> of a cluster and I'm loosing the session if one of my pod is
>> restarted or
>> >>> goes down.
>> >>>
>> >>> Can someone please suggest any solution for this? Any help would be
>> >>> greatly
>> >>> appreciated.
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> regards,
>> >>>  -Sagar
>> >>> _______________________________________________
>> >>> keycloak-user mailing list
>> >>> keycloak-user at lists.jboss.org
>> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >>>
>> >>
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> --
>>
>> --Hynek
>>
>
>


-- 
Andrew Zenk, EIT
Polar Geospatial Center
University of Minnesota
Office: (612) 625-0872
Cell: (612) 414-9617


More information about the keycloak-user mailing list