'Refresh token expired' exception with Keycloak SSO

[claudiat]

Hello,

I have implemented the AppAuth library with the Keycloak SSO and I get refresh tokens that expire within 30 minutes after the token request. Therefore, when I try to get a new access token by calling the 'performActionWithFreshTokens' function 30 minutes after calling the 'performTokenRequest' function, I get the following exception :
{"type":2,"code":2002,"error":"invalid_grant","errorDescription":"Refresh token expired","errorUri":""}

I tried to dodge this problem by getting an offline token by specifying 'offline_access' in setScope in the AuthorizationRequest builder but I get the following exception:
AuthorizationException: {"type":0,"code":5,"errorDescription":"JSON deserialization error"}

The "offline_access" is however supported in the SSO configuration.

My questions are :

• do you happen to kwno why do my refresh tokens have a validity time of only 30 minutes?
• why do I get the "JSON deserialization" error even if my Keycloak configuration allows for offline tokens?

Thank you for your time!

[iainmcgin]

Refresh token expiration looks like a non-standard feature of Keycloak. If you control the Keycloak instance, I think you can turn off refresh token expiration, or otherwise tweak the expiration times: https://www.keycloak.org/docs/3.2/server_admin/topics/sessions/timeouts.html

As for the JSON deserialization error, I can't help with that without some additional information:

• Does this happen after the completion of the authorization flow?
• Can you introduce a breakpoint for an AuthorizationException being thrown, and see if you can pull out the JSON for inspection? If so, please share the JSON for analysis here.

[claudiat]

Hello,

Thank you for your answer.

I manage to get an AutorizationResponse without an AuthorizationException after calling the performAuthorizationRequest(authorizationRequest, pendingIntent) on the service. I get the JSON Exception when I call the function performTokenRequest on the Authorisation Service:
AuthorizationException: {"type":0,"code":5,"errorDescription":"JSON deserialization error"} Caused by: org.json.JSONException: End of input at character 0 of

I looked at the TokenRequestTask and I see that the ResponseCode of the HttpURLConnection is 500. The response value of String response = Utils.readInputStream(is) is "" and the JSON casting of the value "" at new JSONObject(response) renders the exception.

[iainmcgin]

OK, it sounds like we could do a better job of distinguishing 500 errors, but if you're getting a 500 error (an internal error, per the HTTP spec) back from Keycloak then that indicates a failure in that service, not in AppAuth. I would suggest looking at any logging that KeyCloak provides to see what caused the internal error. I'll close this issue and open an enhancement issue for improving the reporting of 500 errors within AppAuth.

[essieM]

@claudiat how did you manage to solve this refresh token expired issue. I'm also using KeyCloak and I'm facing the same challenge. I posted a question here :
https://github.com/openid/AppAuth-Android/issues/531