Why invalid_grant error with "Session doesn’t have required client"?

[Max Kerling]

Hello

I have an app connected via oauth2-proxy to Keycloak and generally everything runs fine.

Just sometimes I see the following error in the oauth2-proxy logfiles:

unable to redeem refresh token: failed to get token: oauth2:

  cannot fetch token: 400 Bad Request

  Response: {"error":"invalid_grant","error_description":"Session doesn't have required client"},

  removing session.

The corresponding message in the Keycloak logfile is this:

org.keycloak.events type=REFRESH_TOKEN_ERROR, realmId=xxx, clientId=xxx, userId=f:ce9d954a-de51-48a4-a70b-xxx:xxx, ipAddress=x.x.x.x, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=bb77d7aa-c061-45d4-b2f7-fe938d5537cb, client_auth_method=client-secret

I found the same error message in e.g. What does "Session doesn't have required client" mean? but that problem was for Keycloak 4.x while I'm using the latest 16.1.1. Additionally, I don't use remember-me sessions or offline tokens.

The source code has this message only in oidc/TokenManager.java where problems with "cross-dc environment" are suggested but we don't have a cross datacenter environment, just three instances in the same Kubernetes namespace installed with the latest Helm chart.

What else could possibly cause this problem?

Best regards

[Zhandos Zhylkaidar]

Hello,

We also saw such error messages in logs, and usually that meant that we lost/evicted the client session from `clientSessions` cache.

Do you set any eviction configuration for your caches ?

Best,

Zhandos.

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/f3b7a880-8b89-4d31-a55e-729d99c56032n%40googlegroups.com.

[Max Kerling]

Not knowingly. Where would I find settings regarding cache eviction?

[Björn Eickvonder]

I experience the same issue with Keycloak 18.0.2 (Quarkus). It happens sometimes upon refresh token request and thus user has to login again. It happens regardless whether we run the application on a single node (with local Infinispan cache) or clustered. We run on AWS ECS.

Any news on this? Is this a bug solved in recent version of Keycloak? The only suggestion I found was to configure Infinispan with a write-through to the database such that the missing client session can be recovered from the database. But this can't be the solution.

Björn 

[Schuster Sebastian (BD/PAU1)]

The only case where I saw this issue was when the cache sizes were limited leading to eviction when caches are full.

The remediation for this is indeed to configure lazy loading for offline sessions. At first, that only worked for offline user sessions,

Since https://github.com/keycloak/keycloak/pull/17490 it also works for offline client sessions.

 

Best regards,

Sebastian

 

Mit freundlichen Grüßen / Best regards

Dr.-Ing. Sebastian Schuster 

Product Area User Management (BD/PAU1)
Bosch.IO GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch.io
Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Telefax +49 30 726112-100 | Sebastian...@bosch.io

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Stefan Koss; Geschäftsführung: Dr. Andreas Nauerz, Stephan Lampel 

 

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/f14db744-34e3-4cdb-b6e9-d966d50381a9n%40googlegroups.com.