[keycloak-user] Offline Tokens Become Useless When SSO Session Max is Reached - 2.0

Heide, Marc heide at 365farmnet.com
Tue May 2 08:43:12 EDT 2017


Hi,

We try to use Keycloak with offline tokens for end users, but in contradiction to 
https://lists.jboss.org/pipermail/keycloak-user/2017-January/009096.html
where the Admin API is requested, we try to access the UserInfo enpoint. 

As soon as the user session died, which has created the offline token, the UserInfo endpoint returns a 401 with:
{
  "error": "invalid_request",
  "error_description": "User session not found"
}

By looking at 
https://issues.jboss.org/browse/KEYCLOAK-4201 and
https://issues.jboss.org/browse/KEYCLOAK-4371

and without really knowing the internals, but could it be the same problem here in the UserInfoEndpoint class line 142 ?
It obviously does not consider offline sessions at all. Is that a wanted behavior?

According to the OIDC spec the UserInfo endpoint should be usable with a valid offline access token even if the user session has been ended.
(http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess)

Best Regards
Marc





More information about the keycloak-user mailing list