I have a question concerning Keycloak 4.8.3.
I am using the spring security adapter to secure our web-app with the keycloak and the enabled login feature: remember-me.
The user logs in from a browser and it redirects back to out web app.
Our web-app then calls another Keycloak secured REST-API endpoint internally using the KeycloakRestTemplate, because we need to authorize these calls as well using the same user of the web app.
The point is: I want to use the authorization token for another REST-API service method.
After some amount of time the REST-API call fails with the following error message:
ERROR RefreshableKeycloakSecurityContext Refresh token failure status: 400 {"error":"invalid_grant","error_description":"Session doesn't have required client"}
and the keycloak log file contains the folowing warning:
17:25:51,929 WARN [org.keycloak.events] (default task-1) type=REFRESH_TOKEN_ERROR, realmId=EHotel, clientId=IBE, userId=f:8db533c4-9733-48d4-8b30-28a50954b7ad:khaendel, ipAddress=192.168.1.76, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=9fba841f-54bb-4c81-8f7b-6a7e1c5ab92e, client_auth_method=client-secret
I cannot predict when exactly that happens, presumably after 15 minutes or after an hour. Token expiration is set as follows: SSO Session Idle: 15 minutes SSO Session Max: 15 minutes SSO Session Idle Remember Me: 1 Day SSO Session Max Remember Me: 1 Day Access Token Lifespan: 5 minutes
What does the error message (Session doesn't have required client) mean and
what am i doing wrong?
Remote debugging revealed: It seems, that at the keycloak server is a client session cache involved (InfinispanUserSessionProvider), that looses information after a while.
I expected to use the keycloak token authenticate another REST-API service with the same user as our secured web-app. But the refresh token cannot be used as long as the SSO session because of the error message.
