Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-3478

Client session timestamp not updated in the database if running multiple nodes [GHI#42012]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      core

      Describe the bug

      Hi everyone, I'm reaching out seeking help to solve a weird behavior that we are observing with our Keycloak instances.

      On Keycloak 26.2.5 or 26.3.1, every time we deploy a new version of our Keycloak with custom providers, some user sessions are losing their client sessions, even if they are not expired yet. See the following screenshot before a deployment:

      <img width="2735" height="283" alt="Image" src="https://github.com/user-attachments/assets/66d0e585-501f-4d61-8672-61c1a93bed0d" />

      Then, after the Keycloak pods were restarted, one session lost its client:

      <img width="2712" height="278" alt="Image" src="https://github.com/user-attachments/assets/cf72c597-d372-465c-ad4c-ef1a427e560c" />

      This is in one of our lower environments, the problem is a lot worse in production, where there are many sessions active.
      Then, we start to see a lot of REFRESH_TOKEN_ERROR in our logs:

      type="REFRESH_TOKEN_ERROR", realmId="1234", realmName="redacted", clientId="redacted", userId="null", sessionId="4321", ipAddress="redacted", error="invalid_token", reason="Session doesn't have required client", grant_type="refresh_token", refresh_token_type="Refresh",

      This is our session lifetime configs:

      <img width="522" height="628" alt="Image" src="https://github.com/user-attachments/assets/7fdc1dad-d515-401a-a44c-bd0c61cbbf80" />

      We currently have two Keycloak pods running on Kubernetes

      Version

      26.3.1

      Regression

      [x] The issue is a regression

      Expected behavior

      The user sessions should not lose their clients after each Keycloak restart, or if this is expected, a clear documentation on why it's needed and how to tweak it.

      Actual behavior

      Refresh of access tokens fails because user sessions are losing their client sessions during Keycloak restart. This started to happen after we upgraded from Keycloak 26.1.4 to 26.2.5.

      How to Reproduce?

      Unfortunately, I couldn't find a reliable way to reproduce this other than creating the OIDC sessions and restarting the application manually.

      Anything else?

      We also observe some logs from ClientSessionPersistentChangelogBasedTransaction, like:

      client-session not imported from persister for sessionId=null, offline=false, removing from persister.

      Enabled features:

      <img width="3041" height="230" alt="Image" src="https://github.com/user-attachments/assets/75410ac7-80fe-43c9-9635-7b9b24b40926" />

              Unassigned Unassigned
              pvlha Pavel Vlha
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: