[keycloak-user] can't use refresh token with keycloak-gatekeeper

Andrey Kozichev akozichev at gmail.com
Fri Nov 23 10:21:33 EST 2018 

replying to my own question. Looks like all configuration was correct. The
issues was specific only to the particular test user.
Newly created user works as expected.

After removing Test User from multiple roles/groups the issue disappeared.
Can't tell for sure which group membership was causing it.

Thank you All!

Regards,
Andrey
---
https://getantler.io/

On Wed, 21 Nov 2018 at 00:01, Andrey Kozichev <akozichev at gmail.com> wrote:

> Hello!
> has anyone come across use of refresh tokens with keyckloak-gatekeeper?
>
> I've got a Web app running behind keycloak-gatekeeper. Currently session
> expires after 5 minutes of inactivity. In the logs I see "session expired
> and access token refreshing is disabled".
>
> To avoid this, I am trying to enable "refresh tokens" on my gatekeeper
> proxy by adding "*--enable-refresh-tokens=true"* , the full list of
> configuration options:
>
>
>         - --client-id=my_clientid
>         - --discovery-url=<keycloak_url>
>         - --enable-default-deny=false
>         - --enable-json-logging=true
>         - --enable-logging=true
>         - --enable-request-id=true
>         - --enable-encrypted-token=true
>         - --encryption-key=<secret>
> *        - --enable-refresh-tokens=true*
>         - --enable-security-filter=true
>         - --listen=0.0.0.0:8080
>         - --preserve-host=true
>         - --redirection-url=http://my-public-url
>         - --resources=uri=/*|roles=user-role
>         - --upstream-url=myservice.svc.cluster.local:8080
>
> However after adding "*enable-refresh-tokens=true*" - I get 502 when
> trying to login.
> In the Gatekeeper logs I see below lines. Has anyone came across this? I
> must be missing something obvious.
>
>
> {"level":"info","ts":1542757702.835068,"msg":"issuing access token for
> user","email":"myemail at gmail.com
> ","expires":"2018-11-20T23:53:22Z","duration":"4m59.164934314s"}
>
> {"level":"info","ts":1542757702.8363702,"msg":"client
> request","latency":0.05726285,"status":307,"bytes":37,"client_ip":"
> 10.44.1.32:60746","method":"GET","path":"/oauth/callback"}
>
> *{"level":"error","ts":1542757702.8891447,"msg":"no session found in
> request, redirecting for authorization","error":"authentication session not
> found"}*
>
> {"level":"info","ts":1542757702.8892436,"msg":"client
> request","latency":0.000152955,"status":307,"bytes":75,"client_ip":"
> 10.44.1.32:60752","method":"GET","path":"/favicon.ico"}
>
> {"level":"info","ts":1542757703.03116,"msg":"client
> request","latency":0.001002773,"status":307,"bytes":319,"client_ip":"
> 10.44.1.32:60754","method":"GET","path":"/oauth/authorize"}
>
> {"level":"info","ts":1542757703.108161,"msg":"issuing access token for
> user","email":"myemail at gmail.com
> ","expires":"2018-11-20T23:53:23Z","duration":"4m59.891841634s"}
>
> {"level":"info","ts":1542757703.109042,"msg":"client
> request","latency":0.021427778,"status":307,"bytes":48,"client_ip":"
> 10.44.1.32:60758","method":"GET","path":"/oauth/callback"}
>
>
> Regards,
> Andrey
>

More information about the keycloak-user mailing list