Got 401 Unauthorized for a valid token if Keycloak is restarted
1,743 views
Skip to first unread message
Olivier Masseau
Mar 23, 2023, 1:27:55 PM3/23/23
to Keycloak User
Hello,
Here is my problem :
I generate a token (with realm management rights) by calling :
http://localhost:8180/auth/realms/<realm>/protocol/openid-connect/tokenIf I then call :
http://localhost:8180/auth/admin/realms/<realm>/groups?briefRepresentation=false
It correctly return all the groups of the realm.
Now if I restart Keycloak, with my token still valid (it is not expired), and I call again :
http://localhost:8180/auth/realms/<realm>/protocol/openid-connect/token
It returns :
{
"error": "HTTP 401 Unauthorized"
}
"error": "HTTP 401 Unauthorized"
}
It this a normal behaviour ?
Why do I get a 401 Unauthorized error when my token is still valid ?
Does Keycloak has some internal stateful infos associated to the token, that are necessary to valid the token, that are lost when the server is restarted ?
Can't we tell it to persist those stateful infos it into DB to avoid the 401 error after a restart ?
Olivier Masseau
Mar 23, 2023, 2:32:02 PM3/23/23
to Keycloak User
After some research I think I've understand:
Even when generating a token through the /token endpoint, Keycloak has to create a user session in cache.
When reading the documentation it is not really clear: I thought this user session was only created when using the Keycloak login form through a browser.
This user session is necessary to be able to use the refresh token, user infos or introspect functionnalities.
Am I right ?
Still can't we force it to be persisted into database in case the server needs to be restarted ?
Björn Eickvonder
Mar 23, 2023, 8:57:07 PM3/23/23
to Keycloak User
Take a look here, you have to make the infinispan cache persistent (though haven’t tried that)
https://keycloak.discourse.group/t/persist-infinispan-cache/16699
https://keycloak.discourse.group/t/persist-infinispan-cache/16699
Reply all
Reply to author
Forward
0 new messages