New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Negative refresh token expiration (exp timestamp in the past) #11990
Comments
I am experiencing a similar problem. I get negative "refresh_expires_in" values when I set my Client_session_max lower than my SSO_Session_max. The numbers shown in the response seem to be the settings I use in de Client_Session_Max and the Client_Session_Idle, however my session is only being ended when the SSO_Session_Max time is reached. Between My Client_Session_Max expiring and my SSO_Session_Max still being valid I see the "refresh_expires_in" value going down into negative numbers. |
When the client session max lifetime is set shorter than the sso session max lifetime, at the point where the client session gets terminated, the refresh token endpoint returns 400. When the user then tries to login again the SSO remembers that there is a session but the resulting refresh token of the token request has a negative expire time. Now the getRefreshExpiration method correctly uses the clientSession to calculate the expire time for the refresh token. Fixes keycloak#11990
I'm getting negative expiration_in for following scenario. I'm trying to get access token with refresh_token grant where refresh token is offline token (refresh token with scope=offline_access). I thought that SSO Max should not impact offline session. I have review all expiration times and I'm not able to figure it out what is going on. I tried to set offline session max from unlimited to 120 days without success. Ream timeouts:
|
I've encountered similar problem but with
Users started reporting such problem right after upgrade from v13.1 to 18.1 |
When the client session max lifetime is set shorter than the sso session max lifetime, at the point where the client session gets terminated, the refresh token endpoint returns 400. When the user then tries to login again the SSO remembers that there is a session but the resulting refresh token of the token request has a negative expire time. Now the getRefreshExpiration method correctly uses the clientSession to calculate the expire time for the refresh token. Fixes keycloak#11990
When the client session max lifetime is set shorter than the sso session max lifetime, at the point where the client session gets terminated, the refresh token endpoint returns 400. When the user then tries to login again the SSO remembers that there is a session but the resulting refresh token of the token request has a negative expire time. Now the getRefreshExpiration method correctly uses the clientSession to calculate the expire time for the refresh token. Fixes keycloak#11990
…ore tests. Closes keycloak#14854 Closes keycloak#11990
…ore tests. Closes keycloak#14854 Closes keycloak#11990
…ore tests. Closes keycloak#14854 Closes keycloak#11990
…ore tests. Closes keycloak#14854 Closes keycloak#11990
@pehunka we are having the exact same error, did you find any workaround ? |
When the client session max lifetime is set shorter than the sso session max lifetime, at the point where the client session gets terminated, the refresh token endpoint returns 400. When the user then tries to login again the SSO remembers that there is a session but the resulting refresh token of the token request has a negative expire time. Now the getRefreshExpiration method correctly uses the clientSession to calculate the expire time for the refresh token. Fixes keycloak#11990
…ore tests. Closes keycloak#14854 Closes keycloak#11990
…implementations Closes keycloak#14854 Closes keycloak#11990
…implementations Closes keycloak#14854 Closes keycloak#11990
…implementations Closes keycloak#14854 Closes keycloak#11990
…implementations Closes keycloak#14854 Closes keycloak#11990
…implementations Closes keycloak#14854 Closes keycloak#11990
…implementations Closes keycloak#14854 Closes keycloak#11990
Describe the bug
I came across a strage behavior (seemingly a bug) regarding the refresh token expiration.
Under some (unknown) circumstances, the refresh_token issued by Keycloak contains an
exp
claim timestamp that is before theiat
timestamp, e.g.:This happens when retrieving an access token + refresh token from the https://kc-host/realms/my-realm/protocol/openid-connect/token endpoint using the
authorization_code
grant type.Likewise, the response from the token endpoint contains a negative
refresh_expires_in
value:Other timestamps/expirations are fine however (e.g., access token and KEYCLOAK_IDENTITY cookie in the same request showed OK).
I stumbled across this issue by recognizing a frequent "hard" refresh of my frontend client, since the regular refresh of the access token fails (due to the invalid refresh token, obviously). This led me to investigating said problem with the refesh token.
Noteworthy:
Version
17.0.1
Expected behavior
Refresh token expiration to be positive and as configured, e.g.:
"refresh_expires_in": 1800
Actual behavior
Refresh token expiration is negative, e.g.:
"refresh_expires_in": -15933
How to Reproduce?
Token lifespan relevant realm config:
Realm client config:
Client application:
Anything else?
Interestingly, until now, I only happened to experience this problem with Chrome on macOS. No issue so far on Chrome on Windows.
On the macOS machine, however, it also does not occur consistently. We have multiple Keycloak instances (for different environments), with the exact same Keycloak deployed (17.0.1) and identical realm configurations. On some instances I face the problem, while others are fine. Also, the problem is not always present.
I somewhat feel like there's a correlation that this problem occurs when I continue using the affected web frontend after the macbook was on standby/hibernate for a couple of hours.
The text was updated successfully, but these errors were encountered: