[keycloak-user] Refresh Token Becoming Stale because of User Not Before Date

Huw McNamara huwmcnamara at msn.com
Mon Oct 29 16:26:29 EDT 2018 

Hi Dmitry,

Thanks for answering, you are correct. The user NOT_BEFORE is non-zero and is after the token was issued.

After searching the code base it seems this value is set on logout, which makes sense.

Cheers,
Huw
________________________________
From: Dmitry Telegin <dt at acutus.pro>
Sent: 28 October 2018 23:35
To: Huw McNamara; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Refresh Token Becoming Stale because of User Not Before Date

Hello Huw,

The "notBefore" user property is mapped to the NOT_BEFORE column of the USER_ENTITY table. If you have access to the DB, please check it. Most likely this value is non-zero for your user.

AFAIK there is no GUI option to set this directly. Upon user creation, the field is set to zero, and there are several scenarios that can lead to a non-zero value. It needs to be further investigated which one is the cause in your case.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Sat, 2018-10-27 at 09:52 +0000, Huw McNamara wrote:
> Hello,
>
> I am having an issue with a refresh token I have requested using scope=offline_access becoming stale. This is with Keycloak 3.4.3 backed by a PostgreSQL database running on OpenShift Online.
>
> After turning on some trace logging I get the following stack trace:
>
> [0m09:34:54,407 TRACE [org.keycloak.protocol.oidc.endpoints.TokenEndpoint] (default task-12) Stale token: org.keycloak.OAuthErrorException: Stale token
> at org.keycloak.protocol.oidc.TokenManager.validateToken(TokenManager.java:185)
> at org.keycloak.protocol.oidc.TokenManager.refreshAccessToken(TokenManager.java:248)
> at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.refreshTokenGrant(TokenEndpoint.java:419)
> at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:174)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ...
>
> Which, in the source code, seems to correspond with these lines:
>
> if (oldToken.getIssuedAt() < session.users().getNotBeforeOfUser(realm, user)) {
>     throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Stale token");
> }
>
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkeycloak%2Fkeycloak%2Fblob%2F517588ecca8e8749c70c7a28706fc405623617d3%2Fservices%2Fsrc%2Fmain%2Fjava%2Forg%2Fkeycloak%2Fprotocol%2Foidc%2FTokenManager.java%23L184&amp;data=02%7C01%7C%7Ce4383cfc8aee4069d2da08d63d2e166a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636763665488169887&amp;sdata=nWRBLEJ2gbDFrTxZVCSJOw68%2Fb2Rl4ksFIDzLQL0S1U%3D&amp;reserved=0
>
> My Offline Session Idle for the realm is set to 30 days which was definitely not breached.
>
> Can anyone tell me what the not before of the user is and how do I set its value?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&amp;data=02%7C01%7C%7Ce4383cfc8aee4069d2da08d63d2e166a%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636763665488169887&amp;sdata=ZpB%2B8S%2FwqmG1Z14%2FCG9SDQJKTkK%2F8W2QXz142gjcjgE%3D&amp;reserved=0

More information about the keycloak-user mailing list