Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-9870

Gatekeeper renewal does not renew refresh tokens

    XMLWordPrintable

Details

    • Keycloak Sprint 24
    • 1
    • Hide

      In keycloak, menu Tokens, set "revoke refresh token" to ON with value set to 0.
      This means refresh token can be used only once.

      Gain access with a session through keycloak-gatekeeper, wait token expiry,
      try calling a resource: this works.
      Now wait again for a second token expiry.
      try calling a resource: failure - the refresh token has expired

      Show
      In keycloak, menu Tokens, set "revoke refresh token" to ON with value set to 0. This means refresh token can be used only once. Gain access with a session through keycloak-gatekeeper, wait token expiry, try calling a resource: this works. Now wait again for a second token expiry. try calling a resource: failure - the refresh token has expired
    • NEW
    • NEW

    Description

      keycloak-gatekeeper automatically refreshes access token whenever needed,
      by starting a refresh token grant flow with the keycloak server.

      This works well when refresh tokens are never revoked.

      If the keycloak server is configured to revoke refresh tokens after usage (keycloak enables to configure this to n usages before revoking the refresh token), keycloak-gatekeeper fails
      to successfully refresh after the first refresh.

      Reason is that the return new refresh token obtained from the Oauth2 server is ignored.

      Proposed solution: new refresh token provided should be used to refresh the proxy state (forwarding mode) and the refresh cookie.

      Attachments

        Activity

          People

            boliveir_managed_kafka_security (inactive user) Bruno Oliveira Silva
            fredbi-1 Frédéric BIDON (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: