[keycloak-user] What does "Session doesn't have required client" mean?

Ken Haendel khaendel at ehotel.de
Mon Feb 11 12:33:49 EST 2019


I have a question concerning Keycloak 4.8.3.

I am using the spring security adapter to secure our web-app with the 
keycloak and enabled login feature: remember-me.

The user logs in from a browser and it redirects back to out web app.

Our web-app calls another Keycloak secured REST-API endpoint internally 
using the KeycloakRestTemplate, because we need to authorize these calls 
as well using the same user of the web app.

After some amount of time the REST-API call fails with the following 
error message:

"ERROR RefreshableKeycloakSecurityContext Refresh token failure status: 
400 {"error":"invalid_grant","error_description":"Session doesn't have 
required client"}"

and the keycloak log file contains the folowing warning:

17:25:51,929 WARN  [org.keycloak.events] (default task-1) 
type=REFRESH_TOKEN_ERROR, realmId=EHotel, clientId=IBE, 
ipAddress=, error=invalid_token, grant_type=refresh_token, 

I cannot predict when exactly that happens, presumably after 15 minutes 
or after an hour. Token expiration is set as follows:

SSO Session Idle: 5 minutes

SSO Session Max: 5 minutes

SSO Session Idle Remember Me: 1 Day

SSO Session Max Remember Me: 1 Day

Access Token Lifespan: 2 minutes

It seems, that there is a client session cache involved 
(InfinispanUserSessionProvider), that looses information after a while.

What does the error message mean and

what am i doing wrong?

Please help me out.

Thank you in advance,



-------------- next part --------------
A non-text attachment was scrubbed...
Name: khaendel.vcf
Type: text/x-vcard
Size: 185 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190211/dc6f162c/attachment.vcf 

More information about the keycloak-user mailing list