Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refresh not possible after SSO Session Idle timeout, even with constant refreshes #30452

Closed
2 tasks done
xgp opened this issue Jun 14, 2024 · 5 comments
Closed
2 tasks done

Refresh not possible after SSO Session Idle timeout, even with constant refreshes #30452

xgp opened this issue Jun 14, 2024 · 5 comments
Assignees
@pedroigor
Labels
area/core kind/bug Categorizes a PR related to a bug status/auto-expire status/missing-information team/core-iam

Comments

@xgp
Copy link
Contributor

xgp commented Jun 14, 2024
edited
Loading

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

core

Describe the bug

SSO Session Idle seems to be the maximum lifespan of a session, even when refreshing every few minutes.

Version

24.0.5

Regression

  • The issue is a regression

Expected behavior

If SSO Session Idle is set to 1 hours and SSO Session Max is set to 2 hours (all others set to defaults), refreshes should be possible up to 2 hours, when there is never a period > 1 hour between refreshes.

Actual behavior

The refresh after 1 hour (SSO Session Idle) always fails.

How to Reproduce?

  1. Set the SSO Session Idle to 1 hour and SSO Session Max to 2 hours. Use all other realm/client defaults.
  2. Do a normal login and code to token flow using the keycloak-js library.
  3. Do a refresh a few seconds before the access token expiration.
  4. Given the new refresh token, loop to 3 for the next hour.
  5. See that the refresh fails at 1 hour.

Anything else?

Couple of observations:

  1. lastSessionRefresh on the user session, and lastAccess as returned by /admin/realms/:realm/users/:user_id/sessions never changes during the above.
  2. turning on "Revoke Refresh Tokens" and setting it to 1 solves the problem
@xgp xgp added kind/bug Categorizes a PR related to a bug status/triage labels Jun 14, 2024
@pedroigor
Copy link
Contributor

@xgp I tried to reproduce this using a test even though we already have tests that should be covering this scenario. See https://github.com/pedroigor/keycloak/tree/issue-30452.

If you can review the test and help us to reproduce the problem, I appreciate it.

@pedroigor
Copy link
Contributor

Perhaps this is something related to how you are using the JS adapter ...

@xgp
Copy link
Contributor Author

xgp commented Jun 21, 2024

@pedroigor Thanks for the work on this, and I appreciate the suggestion. I'll work on a test to reproduce, while also paying attention to the configuration and how the js adapter is being used. Stay tuned.

@pedroigor pedroigor self-assigned this Jun 21, 2024
@keycloak-github-bot
Copy link

Thanks for reporting this issue, but there is insufficient information or lack of steps to reproduce.

Please provide additional details, otherwise this issue will be automatically closed within 14 days.

@xgp
Copy link
Contributor Author

xgp commented Jun 28, 2024

This appears to be a problem with the specific setup, as userSession.setLastSessionRefresh(currentTime);, which is called for every refresh, is not updating the value in the UserSessionModel. My assumption is this is a cache / remote Infinispan issue. If I find the root cause, or it turns out to be reproducible outside of this specific environment, I'll post back here.

@xgp xgp closed this as not planned Won't fix, can't repro, duplicate, stale Jun 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pedroigor pedroigor

Labels
area/core kind/bug Categorizes a PR related to a bug status/auto-expire status/missing-information team/core-iam
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xgp @pedroigor @stianst