Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-2902

Issue in clearing offline sessions internally using ClearExpiredUserSessions Scheduled task [GHI#38063]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      storage

      Describe the bug

      When "clientOfflineSessionIdleTimeout" realm attribute is set with some value > 0, eg: 180 and "offlineSessionMaxLifespanEnabled": false, Then the refresh_token got for the client/user has no expiration for offline token, which is the expected behaviour based on "offlineSessionMaxLifespanEnabled".

      Keycloak internally runs a scheduled task for every 15 minutes to cleanup the expired offline sessions. where it cleans the offline sessions only based on "clientOfflineSessionIdleTimeout", which makes the refresh_token invalid.

      Note: In UI we doesn't have support to add "clientOfflineSessionIdleTimeout" but it can be set via update realm API.

      Version

      26.0.5

      Regression

      [ ] The issue is a regression

      Expected behavior

      when the "offlineSessionMaxLifespanEnabled" realm attribute is set to false the refresh_token shouldn't be cleared even when the "clientOfflineSessionIdleTimeout" attribute has value.

      Actual behavior

      Keycloak internally clears the offline session when "clientOfflineSessionIdleTimeout" has value and expiry is calculated with the value and current time even the "offlineSessionMaxLifespanEnabled" is false.

      How to Reproduce?

      • Using update realm endpoint update the "clientOfflineSessionIdleTimeout" to greater than 0 (Eg: 120) and "offlineSessionMaxLifespanEnabled" to false.
      • Get an refresh_token using token endpoint and verify the field "refresh_expires_in" has value 0.
      • Verify the refresh_token using offline token exchange and it should able to get the new access_token.
      • Wait for some time at least for 15 to 30 minutes, where scheduled task to run internally for every 15minutes to clean the offline session based on the "clientOfflineSessionIdleTimeout".
      • Then verify the same refresh_token using offline token exchange, it'll throw error as "invalid_grant", "session doesn't have required client".

      Anything else?

      No response

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core IAM
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: