[keycloak-user] can't use refresh token with keycloak-gatekeeper
Andrey Kozichev
akozichev at gmail.com
Tue Nov 20 19:01:06 EST 2018
Hello!
has anyone come across use of refresh tokens with keyckloak-gatekeeper?
I've got a Web app running behind keycloak-gatekeeper. Currently session
expires after 5 minutes of inactivity. In the logs I see "session expired
and access token refreshing is disabled".
To avoid this, I am trying to enable "refresh tokens" on my gatekeeper
proxy by adding "*--enable-refresh-tokens=true"* , the full list of
configuration options:
- --client-id=my_clientid
- --discovery-url=<keycloak_url>
- --enable-default-deny=false
- --enable-json-logging=true
- --enable-logging=true
- --enable-request-id=true
- --enable-encrypted-token=true
- --encryption-key=<secret>
* - --enable-refresh-tokens=true*
- --enable-security-filter=true
- --listen=0.0.0.0:8080
- --preserve-host=true
- --redirection-url=http://my-public-url
- --resources=uri=/*|roles=user-role
- --upstream-url=myservice.svc.cluster.local:8080
However after adding "*enable-refresh-tokens=true*" - I get 502 when trying
to login.
In the Gatekeeper logs I see below lines. Has anyone came across this? I
must be missing something obvious.
{"level":"info","ts":1542757702.835068,"msg":"issuing access token for
user","email":"myemail at gmail.com
","expires":"2018-11-20T23:53:22Z","duration":"4m59.164934314s"}
{"level":"info","ts":1542757702.8363702,"msg":"client
request","latency":0.05726285,"status":307,"bytes":37,"client_ip":"
10.44.1.32:60746","method":"GET","path":"/oauth/callback"}
*{"level":"error","ts":1542757702.8891447,"msg":"no session found in
request, redirecting for authorization","error":"authentication session not
found"}*
{"level":"info","ts":1542757702.8892436,"msg":"client
request","latency":0.000152955,"status":307,"bytes":75,"client_ip":"
10.44.1.32:60752","method":"GET","path":"/favicon.ico"}
{"level":"info","ts":1542757703.03116,"msg":"client
request","latency":0.001002773,"status":307,"bytes":319,"client_ip":"
10.44.1.32:60754","method":"GET","path":"/oauth/authorize"}
{"level":"info","ts":1542757703.108161,"msg":"issuing access token for
user","email":"myemail at gmail.com
","expires":"2018-11-20T23:53:23Z","duration":"4m59.891841634s"}
{"level":"info","ts":1542757703.109042,"msg":"client
request","latency":0.021427778,"status":307,"bytes":48,"client_ip":"
10.44.1.32:60758","method":"GET","path":"/oauth/callback"}
Regards,
Andrey
More information about the keycloak-user
mailing list