[keycloak-user] Refresh Token Becoming Stale because of User Not Before Date
Dmitry Telegin
dt at acutus.pro
Sun Oct 28 19:35:44 EDT 2018
Hello Huw,
The "notBefore" user property is mapped to the NOT_BEFORE column of the USER_ENTITY table. If you have access to the DB, please check it. Most likely this value is non-zero for your user.
AFAIK there is no GUI option to set this directly. Upon user creation, the field is set to zero, and there are several scenarios that can lead to a non-zero value. It needs to be further investigated which one is the cause in your case.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro
On Sat, 2018-10-27 at 09:52 +0000, Huw McNamara wrote:
> Hello,
>
> I am having an issue with a refresh token I have requested using scope=offline_access becoming stale. This is with Keycloak 3.4.3 backed by a PostgreSQL database running on OpenShift Online.
>
> After turning on some trace logging I get the following stack trace:
>
> [0m09:34:54,407 TRACE [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-12) Stale token: org.keycloak.OAuthErrorException: Stale token
> at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:185)
> at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:248)
> at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.refreshTokenGrant(TokenEndpoint.java:419)
> at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:174)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ...
>
> Which, in the source code, seems to correspond with these lines:
>
> if (oldToken.getIssuedAt() < session.users().getNotBeforeOfUser(realm, user)) {
> throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale token");
> }
>
> https://github.com/keycloak/keycloak/blob/517588ecca8e8749c70c7a28706fc405623617d3/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L184
>
> My Offline Session Idle for the realm is set to 30 days which was definitely not breached.
>
> Can anyone tell me what the not before of the user is and how do I set its value?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list