Auth Session is randomly replaced on refresh

[Anders Ohlsson]

Hello,

 

We are facing a problem where auth sessions in Keycloak are randomly replaced, which is causing missing claims in tokens.

This problem is only occuring in one of our active deployments and we can not recreate it locally with debugger.

We can not give a way to reproduce this bug since we can not identify what is actually causing this problem.

 

Can you help us understand why Keycloak might decide to start a new auth session or give hints to further troubleshooting?

 

Scenario

-----------------------

User logs in to start_app and uses a link to open frontend in another tab. The second login does not require auth because of SSO.

Both applications calls to refresh token every 4th minute, sharing the same session (3212d855...)

 

We are using a mapper to print session notes "identity_provider" and "identity_provider_identity" to the token.

This works for a varying number of refreshes until Keycloak apparently decides we have a new session (3c53bed4...) and the mapper can not find the session notes.

The application then logs out the user, in the original session (3212d855...), because of the missing claim.

 

This new session (3c53bed4...) only appears at random whole hour intervals, e.g 2h, 3h, 6h from first login.

 

Log excerpt

-----------------------

Date                        AuthSessionParentID                     TabID           Type            UserID                                  Client

Nov 8, 2021 @ 13:15:58.820  3212d855-215f-49c2-9c5a-43bc035ccaab    PzuBZif_3Qw     LOGOUT          fbe1d0f2-805e-40b8-989d-0f360448738a    null

Nov 8, 2021 @ 13:15:51.211  -                                       -               REFRESH_TOKEN   fbe1d0f2-805e-40b8-989d-0f360448738a    start_app

Nov 8, 2021 @ 13:15:51.181  3c53bed4-d3fd-4cbf-82f7-5f03f58eeb69    BDg2OT42F-8     REFRESH_TOKEN   fbe1d0f2-805e-40b8-989d-0f360448738a    frontend

Nov 8, 2021 @ 13:11:51.438  -                                       -               REFRESH_TOKEN   fbe1d0f2-805e-40b8-989d-0f360448738a    frontend

Nov 8, 2021 @ 13:11:51.436  -                                       -               REFRESH_TOKEN   fbe1d0f2-805e-40b8-989d-0f360448738a    start_app

.                                                                                                   

. recurring refresh token calls every 4th minute                                                    

.                                                                                                   

Nov 8, 2021 @ 11:23:26.487  -                                       -               REFRESH_TOKEN   fbe1d0f2-805e-40b8-989d-0f360448738a    frontend

Nov 8, 2021 @ 11:23:20.578  -                                       -               REFRESH_TOKEN   fbe1d0f2-805e-40b8-989d-0f360448738a    start_app

Nov 8, 2021 @ 11:19:24.568  -                                       -               CODE_TO_TOKEN   fbe1d0f2-805e-40b8-989d-0f360448738a    frontend

Nov 8, 2021 @ 11:19:24.455  3212d855-215f-49c2-9c5a-43bc035ccaab    TzNGWGd2QRU     LOGIN           fbe1d0f2-805e-40b8-989d-0f360448738a    frontend

Nov 8, 2021 @ 11:19:19.517  -                                       -               CODE_TO_TOKEN   fbe1d0f2-805e-40b8-989d-0f360448738a    start_app

Nov 8, 2021 @ 11:19:19.073  3212d855-215f-49c2-9c5a-43bc035ccaab    _c9ISZtMIAs     LOGIN           fbe1d0f2-805e-40b8-989d-0f360448738a    start_app

 

Deployment details:

-----------------------

Keycloak version: 14.00

Our Keycloak is deployed in an ECS cluster with two nodes using distributed caches.

 

The webapps are using keycloak-angular

 

Access token lifespan: 5m

SSO Session Idle: 1h

SSO Session Max: 10h

Thanks
//Anders Ohlsson