Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-3004

UserInfo request fails by using an access token obtained in Hybrid flow with offline_access scope [GHI#39037]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      oidc

      Describe the bug

      In hybrid flow with offline_access scope (response_type = code token OR code token id_token, scope = openid offline_access), UserInfo request with an access token obtained from an autorization response fails as 401 Unauthorized (error = "invalid_token", error_description="user_session_not_found").

      In the earlier version of 26.2.0, it does not happen.

      Due to this issue, Keycloak 26.2.0 cannot pass OpenID Foundation's OIDC conformance tests while all the earlier version of Keycload could pass.

      Version

      26.2.0

      Regression

      [x] The issue is a regression

      Expected behavior

      We can get an appropriate UserInfo response as 200 OK.

      Actual behavior

      We get an error UserInfo response as 401 Unauthorized (error = "invalid_token", error_description="user_session_not_found").

      How to Reproduce?

      1. Send an authorization request with response_type = code token OR code token id_token, which means doing OIDC hybrid flow and scope = openid offline_access .
      2. On the login screen, a user input their username and password, which lead to successful login.
      3. On the consent screen, the user input their cosent.
      4. Receive an authorization response with an access token.
      5. Send a UserInfo request with the access token.
      6. Receive an error UserInfo response.

      Example:
      [1] an authorization request

      { "client_id": "0908b642-8d6c-4075-80e2-d2d7628c9bb1", "redirect_uri": "https://conformance-suite.keycloak-fapi.org/test/a/keycloak/callback", "scope": "openid offline_access", "state": "YQhigLVlWq", "nonce": "Baki3USTOx", "response_type": "code token", "prompt": "consent" } -> https://as.keycloak-fapi.org/auth/realms/test/protocol/openid-connect/auth?client_id=0908b642-8d6c-4075-80e2-d2d7628c9bb1&redirect_uri=https://conformance-suite.keycloak-fapi.org/test/a/keycloak/callback&scope=openid%20offline_access&state=YQhigLVlWq&nonce=Baki3USTOx&response_type=code%20token&prompt=consent [4] an authorization response https://conformance-suite.keycloak-fapi.org/test/a/keycloak/callback#state=YQhigLVlWq&session_state=8d1f2e10-0df9-403f-a6f0-23e32e1d02d9&iss=https%3A%2F%2Fas.keycloak-fapi.org%2Fauth%2Frealms%2Ftest&code=acdefaa9-1718-4376-b8bc-111054e2bfb0.8d1f2e10-0df9-403f-a6f0-23e32e1d02d9.0908b642-8d6c-4075-80e2-d2d7628c9bb1&access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxT0xKY2JnOFZ1eDhXWVJ3VWxjV3FaZmlTLTJGYXVpY05VVFh4bEoxUjY0In0.eyJleHAiOjE3NDQ4NDg1MjEsImlhdCI6MTc0NDg0ODIyMSwianRpIjoib2ZydG5hOmFiOTg0ZDFkLWIwNmQtNGMzMi04OWIzLWRmOGFiYmJjMzMyOSIsImlzcyI6Imh0dHBzOi8vYXMua2V5Y2xvYWstZmFwaS5vcmcvYXV0aC9yZWFsbXMvdGVzdCIsInR5cCI6IkJlYXJlciIsImF6cCI6IjA5MDhiNjQyLThkNmMtNDA3NS04MGUyLWQyZDc2MjhjOWJiMSIsInNpZCI6IjhkMWYyZTEwLTBkZjktNDAzZi1hNmYwLTIzZTMyZTFkMDJkOSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwczovL2NvbmZvcm1hbmNlLXN1aXRlLmtleWNsb2FrLWZhcGkub3JnIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyJdfSwic2NvcGUiOiJvcGVuaWQgbmFtZV9jbGFpbXMgb2ZmbGluZV9hY2Nlc3MifQ.i1UKWec7MtZTJVs8Feu6iK6yzsTeL12D7ak2rNStmZ9VyiBCb39Mq1Bcc5nlStdbdq335Mu-rvnV6c7aKegDakvWAPG4OHP8aikZAHAI0NLeZSbEflOmoIfEuBvXbcR0E3nbHvO9IvI0Oyh-Ehbg9HOJihNdl_0jrsK6yjF3bT2ilEtk__Zsr24jxuP6lQmb8E9MipMExh8xzkWCvIbjL4tP0gTuE24lIy1aP_UYmvwnnT4Pujx2zf_RhHPzwaUSa5IvcJrOyid1zmmEZn6ms7YCMQAgbFgCMe8j_xeCZKEIkFbeJxRsi4q62SrT9i0e6Tv3X_aD_JXQibr07gbMyg&token_type=Bearer&expires_in=300 [6] an error UserInfo response 401 Unauthorized Header: "www-authenticate": "Bearer realm=\"test\", error=\"invalid_token\", error_description=\"user_session_not_found\"", h3. Anything else? I found the issue when I ran the OpenID Foundation's OIDC conformance test against Keycloak 26.2.0. (1) The authorization request's scope includes "offline_access", which may contribute to this issue. (2) When receiving the UserInfo request, Keycloak outputs the following logs bout AccessTokenContext {code}

      accessTokenContext.getSessionType() = OFFLINE
      accessTokenContext.getGrantType() = na
      accessTokenContext.getRawTokenId() = d5daa054-015a-4869-9dc1-cccc6b04671b
      accessTokenContext.getTokenType() = REGULAR
      2025-04-17 00:03:45,662 WARN [org.keycloak.events] (executor-thread-5) type="USER_INFO_REQUEST_ERROR", realmId="5b9ce58b-4b1d-42bd-a714-eca698e2157f", realmName="test", clientId="b967393f-a745-4efd-9cb9-91d733f41a58", userId="null", sessionId="59e8808b-bb1e-4171-9c57-ccae9cd6bc2a", ipAddress="172.18.0.13", error="user_session_not_found", auth_method="validate_access_token"

      

      

      (3) Due to this issue, Keycloak 26.2.0 cannot pass OpenID Foundation's OIDC conformance tests while all the earlier version of Keycload could pass.
      
            
      

      

          


          
    
          
    
          
    
          
    
          
    
          
    
          
    
          

          


          

            


            

              








              
                        

              
    
              
        
    
              
    
              
        

    



        
    Unassigned
    Unassigned

            
              

                                              

              
    
              
        
    
              
    
              
        

            
            



    
    pvlha
            Pavel Vlha
            
        
    
    
              

                                                                  
              
        
              
            
        
              
        
              
            
                                    Keycloak Core Clients
                            
        
              
    
              
                        
              
    
              
                        
              
        
              Votes:
              
        
              
                                0
            
                                                Vote for this issue
                    
              
    
              
                            
              
        
              Watchers:
              
        
              
                                
                                
                            1
            
                                        Start watching this issue
                    
              
    
              
        
              

                









                
            
                
    
                
                    Created:
            
                
    
                
        
                                                                                                                                 
    
                

                
            
                
    
                
                    Updated:
            
                
    
                
        
                                                                                                                                 
    
                

                
            
                
    
                
                    Resolved: