Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-6170

Multiple offline sessions issued from the same user session fails token refresh

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Done
    • 3.3.0.Final, 3.4.0.Final, 3.4.1.Final, 3.4.2.Final, 3.4.3.Final
    • 4.0.0.Final
    • None
    • Keycloak Sprint 2, Keycloak Sprint 3, Keycloak Sprint 4, Keycloak Sprint 5, Keycloak Sprint 6, Keycloak Sprint 7
    • 8
    • Hide
      1. Create two realm roles, level1 and level2.
      2. Autenticate a user at /auth with scope=openid+offline_access+level1 and exchange the authorization code in tokens.
      3. Within the SSO session created in step 2, send user to /auth with scope=openid+offline_access+level2 and exchange the authorization code in tokens.
      4. Send a refresh token request with the refresh token from the previous step.
      Show
      Create two realm roles, level1 and level2. Autenticate a user at /auth with scope=openid+offline_access+level1 and exchange the authorization code in tokens. Within the SSO session created in step 2, send user to /auth with scope=openid+offline_access+level2 and exchange the authorization code in tokens. Send a refresh token request with the refresh token from the previous step.
    • NEW
    • NEW

    Description

      Given two offline sessions issued by the same user authentication session where the second issued session has realm roles not present in the first session, refreshing the second session with the refresh token throws an error:
      {"error":"invalid_scope","error_description":"User no long has permission for realm role: <some_role>"}

      Attachments

        Issue Links

          Activity

            People

              mposolda@redhat.com Marek Posolda
              knutz3n Johannes K
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: