Offline token invalid but not expired

966 views
Skip to first unread message

Sébastien Claudel

unread,
Jan 5, 2022, 10:53:11 AM1/5/22
to Keycloak User

Hi,

I have a problem with offline tokens. Some of them expire well before the limit. My offline tokens have an expiration period of 190 days (Offline Session Idle = 190d and Offline Session Max = 190d). To obtain them, my user goes through the authorization code grant flow and consents. The tokens are stored in a database and exchanged for access tokens with a client_id client_secret.

my users sometimes have this error that I cannot explain :

{ "error": "invalid_grant", "error_description": "Session doesn't have required client" }

I’m running keycloak 15.1.1 on a Kubernetes cluster of 3 nodes. The CACHE_OWNER parameter is 2
I’m using lazy loading Offline token with this setting :

<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1"> ... <spi name="userSessions"> <default-provider>infinispan</default-provider> <provider name="infinispan" enabled="true"> <properties> <property name="preloadOfflineSessionsFromDatabase" value="false"/> </properties> </provider> </spi> ... </subsystem>

An idea ?

Thanks

Sebastien

Schuster Sebastian (IOB/PAU1)

unread,
Jan 5, 2022, 12:30:52 PM1/5/22
to Sébastien Claudel, Keycloak User

This happens when the offline user session is still found but the related offline client session is not found. Lazy loading only works if the offline user session is not in the cache, then it also automatically loads all related client offline sessions. If the offline user session is in the cache but the client offline session was evicted, you will run into that problem. Have you configured any eviction for your caches (like putting a limit on the cache size)?

 

Best regards,

Sebastian

 

Mit freundlichen Grüßen / Best regards

Dr.-Ing. Sebastian Schuster

Product Area User Management (IOC/PAU1)
Robert Bosch GmbH | Postfach 10 60 50 | 70049 Stuttgart | GERMANY | www.bosch.com
Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Telefax +49 30 726112-100 | Sebastian...@bosch.io

Sitz: Stuttgart, Registergericht: Amtsgericht Stuttgart, HRB 14000;
Aufsichtsratsvorsitzender: Franz Fehrenbach; Geschäftsführung: Dr. Volkmar Denner,
Prof. Dr. Stefan Asenkerschbaumer, Filiz Albrecht, Dr. Christian Fischer, Dr. Stefan Hartung,
Dr. Markus Heyn, Harald Kröger, Rolf Najork

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/0aa56de1-85da-458f-bb84-01c4e4b5553dn%40googlegroups.com.

Sébastien Claudel

unread,
Jan 5, 2022, 1:28:23 PM1/5/22
to Keycloak User
Hi,

Thanks for your answer but I have the default ha configuration for the cache. I'm using the docker image from quay.io.
I'have just set the database parameters, the CACHE_OWNER params 3 and not 2 and the lazy loading of the offline tokens.

Best regards

Sebastien

Sébastien Claudel

unread,
Jan 6, 2022, 3:41:05 AM1/6/22
to Keycloak User

If my configuration at the cache owner level is not good, could this cause this problem during a cluster shutdown? I have an error in the cache owner configuration. It was not entered correctly. it is at 1 on a cluster of 3. Sorry for the bad information in my previous message.

Schuster Sebastian (IOB/PAU1)

unread,
Jan 6, 2022, 7:09:14 AM1/6/22
to Sébastien Claudel, Keycloak User

Might be. Could cause some data to not be replicated correctly…

Sébastien Claudel

unread,
Jan 7, 2022, 3:28:52 AM1/7/22
to Keycloak User
Hi,

The problem is solved and it was indeed a cache problem. The CACHE_OWNER parameter was the cause. We were losing sessions during the rolling update phase. 

Thanks for your help,

Best regards 

Sébastien

Ashish Chaudhari

unread,
Apr 20, 2022, 12:08:57 AM4/20/22
to Keycloak User
We are also facing the same problem. The logs do not provide any info on why the token is considered invalid, even when it is not expired.

Hi Sebastien,
Can you please help us to know what was the solution in your case ?

Also, Can I know , what can be done to request improving logging in Keycloak, so that the specific reason for token failure can be identified.

Regards,
Ashish Choudhari

Ashish Chaudhari

unread,
May 3, 2022, 5:11:55 AM5/3/22
to Keycloak User
Hi Sebastien,
Can you please help us with the details of the solution for this problem ?

Regards,
Ashish Choudhari

Sébastien Claudel

unread,
May 3, 2022, 5:18:50 AM5/3/22
to Ashish Chaudhari, Keycloak User
Hi,

I'm back from holidays and I just read your message. My solution for this problem to be resolved was to enter a number of "cache owner" in line with the configuration of my cluster. The "cache owner" parameter was 1 and when the node stopped or crashed, offline sessions on it were lost. Now I put the same number of owner cache as minimum nodes to be sure to have replicated sessions. It consumes more memory but it is more secure for my case.

Best regards,

Sebastien

You received this message because you are subscribed to a topic in the Google Groups "Keycloak User" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/keycloak-user/sQWbImxUYqU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/a30d99d1-029e-4935-952c-003d01cbfda7n%40googlegroups.com.


--
Sébastien Claudel
Reply all
Reply to author
Forward
0 new messages