javax.net.ssl.SSLException exceptions because org.keycloak.adapters.HttpClientBuilder ignores connectionTTL setting

[morepe]

Before reporting an issue

• I have searched existing issues
• I have reproduced the issue with the latest release

Area

oidc

Describe the bug

The property connectionTTL can be set but it is never used in the org.keycloak.adapters.HttpClientBuilder#build method. This results that connections live forever, resulting in Connection reset Exceptions, when the connection was closed on the server.

The PoolingHttpClientConnectionManager should be created like this:

PoolingHttpClientConnectionManager tcm = new PoolingHttpClientConnectionManager(sf.build(), null, null, null, connectionTTL, connectionTTLUnit);

If the poolsize is set to 1 its more difficult. Could be fixed by setting the keepAliveStrategy on BasicHttpClientConnectionManager

Version

20.0.1

Expected behavior

Property connectionTTL of org.keycloak.adapters.HttpClientBuilder should be used when creating a httpClient

Actual behavior

Property connectionTTL of org.keycloak.adapters.HttpClientBuilder is ignored when creating a httpClient

How to Reproduce?

• Use a code like this to create an httpClient:

            HttpClientBuilder httpClientBuilder = new HttpClientBuilder();

            LOGGER.info("Setting timeouts socketTimeoutSeconds={}, connectionTTLSeconds={}, establishConnectionTimeoutSeconds={}",
                    adapterConfig.getSocketTimeoutSeconds(), adapterConfig.getConnectionTtlSeconds(), adapterConfig.getEstablishConnectionTimeoutSeconds());
            httpClientBuilder.socketTimeout(adapterConfig.getSocketTimeoutSeconds(), TimeUnit.SECONDS);
            httpClientBuilder.connectionTTL(adapterConfig.getConnectionTtlSeconds(), TimeUnit.SECONDS);
            httpClientBuilder.establishConnectionTimeout(adapterConfig.getEstablishConnectionTimeoutSeconds(), TimeUnit.SECONDS);
            HttpClient client = httpClientBuilder.build(adapterConfig);

• Use this client to fetch tokens from keycloak.
• Have some component in between that closes idle connection. This happens for example when an AWS NAT Gateway is in between, that closes the connection after 350 seconds with an RST packet
• Try to fetch the token again

=> javax.net.ssl.SSLException: Connection reset

Anything else?

https://stackoverflow.com/questions/49994901/connection-reset-by-keycloaks-java-adapter
https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-troubleshooting.html