[keycloak-user] Refresh Token Becoming Stale because of User Not Before Date
Huw McNamara
huwmcnamara at msn.com
Sat Oct 27 05:52:05 EDT 2018
Hello,
I am having an issue with a refresh token I have requested using scope=offline_access becoming stale. This is with Keycloak 3.4.3 backed by a PostgreSQL database running on OpenShift Online.
After turning on some trace logging I get the following stack trace:
[0m09:34:54,407 TRACE [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-12) Stale token: org.keycloak.OAuthErrorException: Stale token
at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:185)
at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:248)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.refreshTokenGrant(TokenEndpoint.java:419)
at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:174)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...
Which, in the source code, seems to correspond with these lines:
if (oldToken.getIssuedAt() < session.users().getNotBeforeOfUser(realm, user)) {
throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale token");
}
https://github.com/keycloak/keycloak/blob/517588ecca8e8749c70c7a28706fc405623617d3/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L184
My Offline Session Idle for the realm is set to 30 days which was definitely not breached.
Can anyone tell me what the not before of the user is and how do I set its value?
More information about the keycloak-user
mailing list