Before reporting an issue

[x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

token-exchange

Describe the bug

Token exchange can return negative expiration values (in the past) when using an offline session. The main reason is that keycloak is using a transient session, that session is not detected as offline, and therefore the timeouts are calculated using online values.

Example returned response in a demo realm:

{
  "access_token":"ey..",
  "expires_in":-103,
  "refresh_expires_in":0,
  "token_type":"Bearer",
  "not-before-policy":0,
  "session_state":"af927eef-cb86-4c91-8fa0-32a7f65f625a",
  "scope":"profile email",
  "issued_token_type":"urn:ietf:params:oauth:token-type:access_token"
}

And the access token is also in the past:

{
  "exp": 1750325886,
  "iat": 1750325989,
  "auth_time": 1750325570,
  "jti": "ftrtte:bebe8121-31e9-457c-b57b-63f4dd64500e",
  "iss": "http://localhost:8080/realms/test-session",
  ...
}

Version

26.2.5

Regression

[ ] The issue is a regression

Expected behavior

The response in token exchange should be OK and with correct expiration values.

Actual behavior

It returns expiration times in the past-

How to Reproduce?

1. Modify the realm to have a short SSO Session Max (5 mins for example).
2. Create an offline session using code to token.
3. Wait more than the 5 mins that would have expired an online session.
4. Refresh the offline token to obtain a new access token.
5. With the new access token perform a token exchange request.
6. The values returned are in the past (calculation is done like it was an online session which would have been expired).

Anything else?

No response