Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-11829

Should search for a offline token in DB when a token is not found in Infinispan cache

    XMLWordPrintable

Details

    • Hide

      1. configure RH-SSO x 2 nodes using an external DB. Note that owner=1 in offlineSessions and offlineClientSessions:

              <distributed-cache name="offlineSessions" owners="1"/>
              <distributed-cache name="offlineClientSessions" owners="1"/>
      

      2. start RH-SSO#1 (assume it runs on the port 8080 with standalone-ha.xml)
      3. start RH-SSO#2 (assume it runs on the port 8180 with standalone-ha.xml)
      4. create the client "testclient" with enabling offline_access in the "master" realm
      5. login to RH-SSO#1

      OFFLINE_TOKEN1=`curl --request POST http://localhost:8080/auth/realms/master/protocol/openid-connect/token --header "Accept: application/json" --header "Content-Type: application/x-www-form-urlencoded" --data "grant_type=password&username=admin&password=password&client_id=testclient&client_secret=d9c21a1b-5f7f-42dc-833f-70266b6bec1a&scope=offline_access" | jq -r .refresh_token`
      

      6. login to RH-SSO#2

      OFFLINE_TOKEN2=`curl --request POST http://localhost:8180/auth/realms/master/protocol/openid-connect/token --header "Accept: application/json" --header "Content-Type: application/x-www-form-urlencoded" --data "grant_type=password&username=admin&password=password&client_id=testclient&client_secret=d9c21a1b-5f7f-42dc-833f-70266b6bec1a&scope=offline_access" | jq -r .refresh_token`
      

      7. confirm you can refresh your access_token

      curl --request POST http://localhost:8080/auth/realms/master/protocol/openid-connect/token --header "Accept: application/json" --header "Content-Type: application/x-www-form-urlencoded" --data "grant_type=refresh_token&refresh_token=$OFFLINE_TOKEN1&client_id=testclient&client_secret=d9c21a1b-5f7f-42dc-833f-70266b6bec1a" | jq
      curl --request POST http://localhost:8180/auth/realms/master/protocol/openid-connect/token --header "Accept: application/json" --header "Content-Type: application/x-www-form-urlencoded" --data "grant_type=refresh_token&refresh_token=$OFFLINE_TOKEN2&client_id=testclient&client_secret=d9c21a1b-5f7f-42dc-833f-70266b6bec1a" | jq
      

      8. stop RH-SSO#2, then start RH-SSO#2
      9. refresh an access_token

      curl --request POST http://localhost:8180/auth/realms/master/protocol/openid-connect/token --header "Accept: application/json" --header "Content-Type: application/x-www-form-urlencoded" --data "grant_type=refresh_token&refresh_token=$OFFLINE_TOKEN2&client_id=testclient&client_secret=d9c21a1b-5f7f-42dc-833f-70266b6bec1a" | jq
      

      then you will see:

      {
        "error": "invalid_grant", 
        "error_description": "Offline user session not found"
      }
      
      Show
      1. configure RH-SSO x 2 nodes using an external DB. Note that owner=1 in offlineSessions and offlineClientSessions: <distributed-cache name= "offlineSessions" owners= "1" /> <distributed-cache name= "offlineClientSessions" owners= "1" /> 2. start RH-SSO#1 (assume it runs on the port 8080 with standalone-ha.xml) 3. start RH-SSO#2 (assume it runs on the port 8180 with standalone-ha.xml) 4. create the client "testclient" with enabling offline_access in the "master" realm 5. login to RH-SSO#1 OFFLINE_TOKEN1=`curl --request POST http: //localhost:8080/auth/realms/master/protocol/openid-connect/token --header "Accept: application/json" --header "Content-Type: application/x-www-form-urlencoded" --data "grant_type=password&username=admin&password=password&client_id=testclient&client_secret=d9c21a1b-5f7f-42dc-833f-70266b6bec1a&scope=offline_access" | jq -r .refresh_token` 6. login to RH-SSO#2 OFFLINE_TOKEN2=`curl --request POST http: //localhost:8180/auth/realms/master/protocol/openid-connect/token --header "Accept: application/json" --header "Content-Type: application/x-www-form-urlencoded" --data "grant_type=password&username=admin&password=password&client_id=testclient&client_secret=d9c21a1b-5f7f-42dc-833f-70266b6bec1a&scope=offline_access" | jq -r .refresh_token` 7. confirm you can refresh your access_token curl --request POST http: //localhost:8080/auth/realms/master/protocol/openid-connect/token --header "Accept: application/json" --header "Content-Type: application/x-www-form-urlencoded" --data "grant_type=refresh_token&refresh_token=$OFFLINE_TOKEN1&client_id=testclient&client_secret=d9c21a1b-5f7f-42dc-833f-70266b6bec1a" | jq curl --request POST http: //localhost:8180/auth/realms/master/protocol/openid-connect/token --header "Accept: application/json" --header "Content-Type: application/x-www-form-urlencoded" --data "grant_type=refresh_token&refresh_token=$OFFLINE_TOKEN2&client_id=testclient&client_secret=d9c21a1b-5f7f-42dc-833f-70266b6bec1a" | jq 8. stop RH-SSO#2, then start RH-SSO#2 9. refresh an access_token curl --request POST http: //localhost:8180/auth/realms/master/protocol/openid-connect/token --header "Accept: application/json" --header "Content-Type: application/x-www-form-urlencoded" --data "grant_type=refresh_token&refresh_token=$OFFLINE_TOKEN2&client_id=testclient&client_secret=d9c21a1b-5f7f-42dc-833f-70266b6bec1a" | jq then you will see: { "error" : "invalid_grant" , "error_description" : "Offline user session not found" }
    • NEW
    • NEW
    • -

    Description

      When one of 2 nodes in a cluster is shut down, an offline token in the infinispan cache in the node is missing (but stored in DB). When the node is started again, the missed offline token is not read from DB, then the offline token is invalid. Keycloak/RH-SSO should search DB for an offline token if it is not found in infinispan cache.

      Attachments

        Activity

          People

            mposolda@redhat.com Marek Posolda
            rhn-support-hokuda Hisanobu Okuda
            Votes:
            3 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: