[keycloak-user] offline token issue - critical

[Sulakshana Gunna]

Hi,
We were using keycloak 1.9.8 and now upgrading to keycloak 4.8.2.
I am facing a blocker issue with respect to refreshing offline tokens.
I have opened a ticket, https://issues.jboss.org/browse/KEYCLOAK-10029
I appreciate if anyone faced the similar issue.
Details repeated below:

We have been using keycloak for our authentication process.
We generate offline token using response_type as code and exchange code for token. Our client refreshes it when access token expires.
What is observed is, all the offline tokens generated in 1.9.8 keycloak are not as expected after upgrading to 4.8.2 version. They are assigned expires_in to session idle time and subsequent refresh fails with Session Not Active. The issue is impairing our release which is round the corner. Specific details below:


With 1.9.8 keycloak:
1) User logs in with the following url:
https://<keycloak url>/auth/realms/<realm>/protocol/openid-connect/auth?client_id=<client_id>&redirect_uri=<redirect_url>&response_type=code&scope=offline_access
2) When the code is returned, it is exchanged for token using:
curl -s --request POST --header "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" --data "client_id=<client_id>&client_secret=<client_secret>&redirect_uri=<redirection url>&grant_type=authorization_code&code=<code>" "https://<keycloak url>/auth/realms/<realm>/protocol/openid-connect/token"
Sample response:
{"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI2YjJkNThhNC05NjZkLTQ0NTAtOWZmOC0wMmZkNzI3MjUyNTUiLCJleHAiOjE1NTQ5NTg1ODksIm5iZiI6MCwiaWF0IjoxNTU0OTU3Njg5LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJDTVhfQXBwIiwic3ViIjoiNzg1YTlkZmMtNjI4MS00MmVlLThhNTMtZmY3YzUxZDQ4OGE4IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiQ01YX0FwcCIsInNlc3Npb25fc3RhdGUiOiI4NDljNWVkOS02YzQ3LTRjM2MtOTNiMi01MDc2Y2FkODM0ZTYiLCJjbGllbnRfc2Vzc2lvbiI6ImJiZGZiYWU0LTA4YzEtNDY5Ni1iYmJhLTRkNWQxNDdhNGRiZiIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vbG9jYWxob3N0OjE2Mzg5Il0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiQWRtaW4iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1aWQ9ODIzNjUxZGYtNTQzNi00MDcwLWE5MDEtYmE1OGM5OTc2ZWYyLG91PXVzZXJzLG89aGV3bGV0dC1wYWNrYXJkLG91PXBhcnRuZXJzLGRjPWhld2xldHQtcGFja2FyZCxkYz1ocCxkYz1jb20iLCJmYW1pbHlfbmFtZSI6IkFkbWluIiwiZW1haWwiOiJocGNvbm5lY3RlZHN5bmNhZG1pbkBocC5jb20ifQ.Tul3RCempI7aevTh7SqNODSWRS9c6KgT9FbGsulCE90xUdbDE7X_50OV1n9QBtQZH160b8AKbf1BkRGqZtbGWkXWCEvUCY-iyrovtKt-3SsGedpfD-0tEfvd53FgTrxwH8i9DxvRzOIknIDZGcCz39gYokVC-bDnyZynEpMFD1ZRPnS9fSY_S07NmeSakWPD4iF4W_09AGloZb9T5k2denRVrpIEVzoKF6lrP2U98WqvWxnJC8r-l6zZPNsThDcYiZmdOSxrmvQFYmzpaOAShX4Ad6b9vAk7Ri_6lazb3ESBgv2GSnBSRmLSpDcQBWR-qvlqVRpWLDPDCtnICFCfcw","expires_in":900,"refresh_expires_in":0,"refresh_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzYzlmZjgxNi00YWY3LTQyOGEtOWVhZS1lMWJiYTdiYmZmN2MiLCJleHAiOjAsIm5iZiI6MCwiaWF0IjoxNTU0OTU3Njg5LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJDTVhfQXBwIiwic3ViIjoiNzg1YTlkZmMtNjI4MS00MmVlLThhNTMtZmY3YzUxZDQ4OGE4IiwidHlwIjoiT2ZmbGluZSIsImF6cCI6IkNNWF9BcHAiLCJzZXNzaW9uX3N0YXRlIjoiODQ5YzVlZDktNmM0Ny00YzNjLTkzYjItNTA3NmNhZDgzNGU2IiwiY2xpZW50X3Nlc3Npb24iOiJiYmRmYmFlNC0wOGMxLTQ2OTYtYmJiYS00ZDVkMTQ3YTRkYmYiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fX0.aXcghpPA7H7O_KA3uUjxWr5fGvCsPV9uHdVaH5yTJ88p8Y1zhO8l6kGmTO_lYZs9_acKE6CL99kJUtNq_x42YbQEYic8aKTm5Muv41pBznSvTpE0sEn7GmdqMTLA-bCedsCcBDpEOcOJGVT-GfO9iiFYzdKBszUfDCGFPfJrF1NVUy-An7VLz4aJUur2ERu2zMGWj6Edq6go9fAJ6MJRVfT8OWvxgtt-08RpIf8Tsfx0XLIFeCT0kqzGzffadgDrNG_fL8hnODrCRVZ2qV6WAbH7cgpF1zcAsY8NQW0yvuB0hQU3i4pM_ibt-EuLeFSX05SF43PxsVnmhf-ZPBjk4A","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI0ZTBjYjc5My03MzI4LTRlNTMtYjUxYy04NTg1OTQzMDNlMWEiLCJleHAiOjE1NTQ5NTg1ODksIm5iZiI6MCwiaWF0IjoxNTU0OTU3Njg5LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJDTVhfQXBwIiwic3ViIjoiNzg1YTlkZmMtNjI4MS00MmVlLThhNTMtZmY3YzUxZDQ4OGE4IiwidHlwIjoiSUQiLCJhenAiOiJDTVhfQXBwIiwic2Vzc2lvbl9zdGF0ZSI6Ijg0OWM1ZWQ5LTZjNDctNGMzYy05M2IyLTUwNzZjYWQ4MzRlNiIsIm5hbWUiOiJBZG1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6InVpZD04MjM2NTFkZi01NDM2LTQwNzAtYTkwMS1iYTU4Yzk5NzZlZjIsb3U9dXNlcnMsbz1oZXdsZXR0LXBhY2thcmQsb3U9cGFydG5lcnMsZGM9aGV3bGV0dC1wYWNrYXJkLGRjPWhwLGRjPWNvbSIsImZhbWlseV9uYW1lIjoiQWRtaW4iLCJlbWFpbCI6ImhwY29ubmVjdGVkc3luY2FkbWluQGhwLmNvbSJ9.rvlNPmsGd0d57yGtbnmCubF3ctXnyP__lTzTdH08GhJptht0iC7CKTwuXWUfmPHN98iu8cxLyWkqOQ50obcNGOpzZXPQDTx-FW2zcyAVd6sQJxZRtOfJjGAetGaXK1s4BaJr1kwl6jmbVeslggtAAxFGCeIlGUO3zu6Qc0MhfLjOGlmUbno2tI4lAFLWkcp1LQ4vrUx5qS9Jcvs3Y2q5j-l2_XaZTLmCRVpCaWRcay9idLgIJb-yDi1r5RMv36614yTQc8pbf1eawfYp4dN1cO6ldXKG9LfWNbVj8MyD_r9Z3tZlS2fgbAzuHVIcI7BL7HlWE2Rn8uUNGkLfUKZF4w","not-before-policy":1439992645,"session_state":"849c5ed9-6c47-4c3c-93b2-5076cad834e6"}
3) Keycloak is upgraded to 4.8.2.
4) What is seen in the admin console, is above generated offline tokens are refreshed during upgrade when looked at the last refresh times
5) The offline refresh token is now refreshed with below api after upgrade:
curl -s --request POST --header "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" --data "client_id=<client_id>&client_secret=<client_secret>&grant_type=refresh_token&refresh_token=<refresh_token>" "https://<keycloak url>/auth/realms/<realm>/protocol/openid-connect/token"
Sample response after upgrade:
{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJUVElxeHVSa3NjSG4zYlNYQ19CUldtTFdlUUdJc3dYMGVKM3BBTlhuODdRIn0.eyJqdGkiOiJkNmQ0ZjU3OS1kMTQwLTRkZjItOWRkMy04ZGE4NDUwMGRjMmYiLCJleHAiOjE1NTQ5NTkxNDYsIm5iZiI6MCwiaWF0IjoxNTU0OTU4MjQ2LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNzg1YTlkZmMtNjI4MS00MmVlLThhNTMtZmY3YzUxZDQ4OGE4IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiQ01YX0FwcCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6Ijg0OWM1ZWQ5LTZjNDctNGMzYy05M2IyLTUwNzZjYWQ4MzRlNiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDoxNjM4OSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6IiIsIm5hbWUiOiJBZG1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6InVpZD04MjM2NTFkZi01NDM2LTQwNzAtYTkwMS1iYTU4Yzk5NzZlZjIsb3U9dXNlcnMsbz1oZXdsZXR0LXBhY2thcmQsb3U9cGFydG5lcnMsZGM9aGV3bGV0dC1wYWNrYXJkLGRjPWhwLGRjPWNvbSIsImZhbWlseV9uYW1lIjoiQWRtaW4iLCJlbWFpbCI6ImhwY29ubmVjdGVkc3luY2FkbWluQGhwLmNvbSJ9.i3lEED2K_lVQk3FYDF4GaQlf0esT5iS-eP6vDKzucx9LEgHJy-ZHc4h6KhSlBoLzkFcX8zhecZq2FY69KQQZo_QdTQP3Ja8Pv1CAPRbUx8BZF1PhCmdfs6NFZmxmKSwMHwTSkFTIImbfGguMLHZexYsQ9bYNMX-ZnxlNKL1Uz25RrFAD2YYl06d_No8ojfti7KGamDjeuWK_nW-Vgy_i-6MikVbmeANj4VUEx91Ba1xlpZaGAEqC9qri90Vbr9jRo9x803G76uGsjI8D6ROSTUl2TkfoC1d9H-4KvwBrLaRBL2g-RqE9VnRL9xq5alQXiDFRzL0b7KnSqNRUT0siyw","expires_in":900,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI5N2Y5OTEyNS1kOTdlLTRhY2EtYTVmMS1mMGVlNjAwYTVmOTYifQ.eyJqdGkiOiJiMGFiNjE5MS01ZWVmLTQ0OTAtYmYzMS04OTFiMDg2Mjk1NzQiLCJleHAiOjE1NTQ5NjAwNDYsIm5iZiI6MCwiaWF0IjoxNTU0OTU4MjQ2LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJzdWIiOiI3ODVhOWRmYy02MjgxLTQyZWUtOGE1My1mZjdjNTFkNDg4YTgiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiQ01YX0FwcCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6Ijg0OWM1ZWQ5LTZjNDctNGMzYy05M2IyLTUwNzZjYWQ4MzRlNiIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiIn0.qbL9akZtOrPK-a54A1qTbbCymaxrn2lpX21f_M_PMbQ","token_type":"bearer","not-before-policy":1439992645,"session_state":"849c5ed9-6c47-4c3c-93b2-5076cad834e6","scope":""}
6) As can be seen above, the new refresh token is now expiring in 1800 sec which is the sso session idle time that I set to my session tokens. Whereas before upgrade these tokens has expires in as 0. And also scope is empty. This scope was not present before the upgrade.
7) At this time when I see the admin console I see that offline session token shows last refresh as the one that I did after upgrade.
8) Now when I refresh this newly generated token, I get the below error:
{"error":"invalid_grant","error_description":"Session not active"}
9) But I still see those offline session token in the table and console.
10) On the other hand, I do not see this issue with any new offline session tokens created after upgrading to 4.8.2.
So what is happening after the upgrade that these old offline tokens are not treated as offline though they are in the offline session table.
Do we have to do anything as a part of upgrade? All we do is pointing keycloak 4.8.2 to the 1.9.8 DB and it takes care of upgrading the database.

Thx
-Sulakshana