[keycloak-user] What does "Session doesn't have required client" mean?

[Ken Haendel]

Hello,

I have a question concerning Keycloak 4.8.3.

I am using the spring security adapter to secure our web-app with the 
keycloak and enabled login feature: remember-me.

The user logs in from a browser and it redirects back to out web app.


Our web-app calls another Keycloak secured REST-API endpoint internally 
using the KeycloakRestTemplate, because we need to authorize these calls 
as well using the same user of the web app.


After some amount of time the REST-API call fails with the following 
error message:

"ERROR RefreshableKeycloakSecurityContext Refresh token failure status: 
400 {"error":"invalid_grant","error_description":"Session doesn't have 
required client"}"


and the keycloak log file contains the folowing warning:

17:25:51,929 WARN  [org.keycloak.events] (default task-1) 
type=REFRESH_TOKEN_ERROR, realmId=EHotel, clientId=IBE, 
userId=f:8db533c4-9733-48d4-8b30-28a50954b7ad:khaendel, 
ipAddress=192.168.1.76, error=invalid_token, grant_type=refresh_token, 
refresh_token_type=Refresh, 
refresh_token_id=9fba841f-54bb-4c81-8f7b-6a7e1c5ab92e, 
client_auth_method=client-secret


I cannot predict when exactly that happens, presumably after 15 minutes 
or after an hour. Token expiration is set as follows:

SSO Session Idle: 5 minutes

SSO Session Max: 5 minutes

SSO Session Idle Remember Me: 1 Day

SSO Session Max Remember Me: 1 Day

Access Token Lifespan: 2 minutes


It seems, that there is a client session cache involved 
(InfinispanUserSessionProvider), that looses information after a while.

What does the error message mean and

what am i doing wrong?


Please help me out.

Thank you in advance,

Regards,

Ken


-------------- next part --------------
A non-text attachment was scrubbed...
Name: khaendel.vcf
Type: text/x-vcard
Size: 185 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190211/dc6f162c/attachment.vcf