Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-2956

Persistent User Sessions doesn't track staleness of client sessions [GHI#38591]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      core

      Describe the bug

      I came across a situation where all client sessions are kept alive when any of the client sessions of the user session was refreshed when persistent sessions are enabled.

      Still, If the user session times out, the client sessions are timed out as well.

      Reason: This snippet of code which was probably true with offline sessions (only one offline client session per offline user sessions):

      https://github.com/keycloak/keycloak/blob/9861acc2aaa6b8d588ef1155563c1f652ec08d28/model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/PersistentUserSessionProvider.java#L749-L750

      Version

      main

      Regression

      [ ] The issue is a regression

      Expected behavior

      If the expiry time of a client session has been reached, it shouldn't be allowed to refresh its token

      Actual behavior

      The client session staleness is calculated from the user session's last updated

      How to Reproduce?

      Manual setting the timestamp in the client session table to 0, and then restarting Keycloak to clear the caches.

      Anything else?

      I'll create a PR

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak SRE
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: