Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-14340

Whole page refreshed when open multiple tabs and Revoke Refresh Token flag enabled

    Details

    • Sprint:
      Keycloak Sprint 40, Keycloak Sprint 42, Keycloak Sprint 43
    • Story Points:
      1
    • Steps to Reproduce:
      Hide

      Steps to produce this issue on keycloak administration console:
      1) Run a new keycloak docker
      2) In keycloak master realm, enable the Revoke Refresh Token flag and modify Refresh Token Max Reuse to be equal to 10 (here the number is not important)
      3) Logout and login again, open multiple tabs and wait until the end of token Access Token Lifespan (to speed up the process make the Lifespan = 1 minute)
      4) Try to navigate in the 1st tab, then you will notice a request to refresh the token send to the backend
      5) Now try to navigate inside the 2nd tab, you will notice a request to refresh the token failed (with HTTP 400 error) and the whole page refreshed

      Show
      Steps to produce this issue on keycloak administration console: 1) Run a new keycloak docker 2) In keycloak master realm, enable the Revoke Refresh Token flag and modify Refresh Token Max Reuse to be equal to 10 (here the number is not important) 3) Logout and login again, open multiple tabs and wait until the end of token Access Token Lifespan (to speed up the process make the Lifespan = 1 minute) 4) Try to navigate in the 1st tab, then you will notice a request to refresh the token send to the backend 5) Now try to navigate inside the 2nd tab, you will notice a request to refresh the token failed (with HTTP 400 error) and the whole page refreshed
    • Workaround Description:
      Hide

      Unverified workaround: silent check-sso

      Show
      Unverified workaround: silent check-sso
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      We have a bug that the whole page refreshed when i'm working on multiple tabs and the Revoke Refresh Token flag enabled. This configuration enabled due to security recommendation and can't be disabled again. This issue affect the keycloak administration console in addition of my front-end app that integrate with keycloak (to get the access token and refresh it before adding the Authorization Header to the API request).

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                abstractj Bruno Oliveira da Silva
                Reporter:
                ahmadabulaban Ahmad AbuLaban
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: