Offline Tokens not working after Keycloak Restart

1,913 views

Skip to first unread message

Asier Aguado Corman

unread,

Mar 17, 2021, 6:41:57 AM3/17/21

to Keycloak User

Hi,

We are running Keycloak 11.0.0 in a standalone cluster setup, and we are having problems with offline sessions not being persisted in the DB. They work normally until we restart one of the server nodes, when they stop working.

This is how I can reproduce the issue in our Keycloak setup:

1. Make a password grant token request with the 'openid offline_access' scope for some client.

At this point, if I check the database tables, I can see new entries in 'OFFLINE_USER_SESSION' and 'OFFLINE_CLIENT_SESSION', but not in 'USER_CONSENT'. If I go to Users->[my user]->Consents in the admin console I can see the new consent created for myself, but I can't see the persisted entry in the DB.

The next steps:

2. Use the refresh token to get a new access token: it works.

3. Restart one Keycloak server.

4. Try using the same refresh token again: it fails:

{"error":"invalid_grant","error_description":"Session doesn't have required client"}

Strangely this was not always the case: some of the times I tried, the 'USER_CONSENT' row was actually there, and everything was working after the restart. But this was more rare than failing.

When the token request fails, checking the database again, I can see that there are the same entries as before. I guess that this is an inconsistent state for 'OFFLINE_USER_SESSION' and 'OFFLINE_CLIENT_SESSION'.

Do you think this is a bug, or maybe some problem in our setup?

Thanks,

Asier

Thomas Darimont

unread,

Mar 17, 2021, 7:46:05 AM3/17/21

to Asier Aguado Corman, Keycloak User

Hello Asier,

this is a known problem. The current infinispan offline session loading mechanism has problems with rolling upgrades. Btw. restarting the whole cluster seems to fix this (until the next rolling upgrade).

I've been working on a fix for this for a while, see:

https://github.com/keycloak/keycloak/pull/7722

Cheers,

Thomas

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/4ccb1a99-061c-4d67-83c2-73df61281c9dn%40googlegroups.com.

Reply all

Reply to author

Forward

0 new messages