Hello,
We are facing a problem where auth sessions in Keycloak are randomly replaced, which is causing missing claims in tokens.
This problem is only occuring in one of our active deployments and we can not recreate it locally with debugger.
We can not give a way to reproduce this bug since we can not identify what is actually causing this problem.
Can you help us understand why Keycloak might decide to start a new auth session or give hints to further troubleshooting?
Scenario
-----------------------
User logs in to start_app and uses a link to open frontend in another tab. The second login does not require auth because of SSO.
Both applications calls to refresh token every 4th minute, sharing the same session (3212d855...)
We are using a mapper to print session notes "identity_provider" and "identity_provider_identity" to the token.
This works for a varying number of refreshes until Keycloak apparently decides we have a new session (3c53bed4...) and the mapper can not find the session notes.
The application then logs out the user, in the original session (3212d855...), because of the missing claim.
This new session (3c53bed4...) only appears at random whole hour intervals, e.g 2h, 3h, 6h from first login.
Log excerpt
-----------------------
Date AuthSessionParentID TabID Type UserID Client
Nov 8, 2021 @ 13:15:58.820 3212d855-215f-49c2-9c5a-43bc035ccaab PzuBZif_3Qw LOGOUT fbe1d0f2-805e-40b8-989d-0f360448738a null
Nov 8, 2021 @ 13:15:51.211 - - REFRESH_TOKEN fbe1d0f2-805e-40b8-989d-0f360448738a start_app
Nov 8, 2021 @ 13:15:51.181 3c53bed4-d3fd-4cbf-82f7-5f03f58eeb69 BDg2OT42F-8 REFRESH_TOKEN fbe1d0f2-805e-40b8-989d-0f360448738a frontend
Nov 8, 2021 @ 13:11:51.438 - - REFRESH_TOKEN fbe1d0f2-805e-40b8-989d-0f360448738a frontend
Nov 8, 2021 @ 13:11:51.436 - - REFRESH_TOKEN fbe1d0f2-805e-40b8-989d-0f360448738a start_app
.
. recurring refresh token calls every 4th minute
.
Nov 8, 2021 @ 11:23:26.487 - - REFRESH_TOKEN fbe1d0f2-805e-40b8-989d-0f360448738a frontend
Nov 8, 2021 @ 11:23:20.578 - - REFRESH_TOKEN fbe1d0f2-805e-40b8-989d-0f360448738a start_app
Nov 8, 2021 @ 11:19:24.568 - - CODE_TO_TOKEN fbe1d0f2-805e-40b8-989d-0f360448738a frontend
Nov 8, 2021 @ 11:19:24.455 3212d855-215f-49c2-9c5a-43bc035ccaab TzNGWGd2QRU LOGIN fbe1d0f2-805e-40b8-989d-0f360448738a frontend
Nov 8, 2021 @ 11:19:19.517 - - CODE_TO_TOKEN fbe1d0f2-805e-40b8-989d-0f360448738a start_app
Nov 8, 2021 @ 11:19:19.073 3212d855-215f-49c2-9c5a-43bc035ccaab _c9ISZtMIAs LOGIN fbe1d0f2-805e-40b8-989d-0f360448738a start_app
Deployment details:
-----------------------
Keycloak version: 14.00
Our Keycloak is deployed in an ECS cluster with two nodes using distributed caches.
The webapps are using keycloak-angular
Access token lifespan: 5m
SSO Session Idle: 1h
SSO Session Max: 10h
Thanks
//Anders Ohlsson