Uploaded image for project: 'AeroGear'
  1. AeroGear
  2. AEROGEAR-5208

Keycloak refresh token expired

    XMLWordPrintable

Details

    • Feature Request
    • Resolution: Done
    • Major
    • None
    • None
    • security
    • None

    Description

      To reproduce the error. Login to shoot'nshare with keycloak
      Have the tokens stored securely in keychain
      close your app
      wait for 5 mins
      open it back
      try to upload picture
      ... and boom 400

      Here is the refresh request

      POST /auth/realms/shoot-realm/tokens/refresh HTTP/1.1
      Host: 192.168.0.37:8080
      Content-Type: application/x-www-form-urlencoded
      Connection: keep-alive
      Accept: /
      User-Agent: Shoot/1 CFNetwork/711.0.6 Darwin/14.0.0
      Content-Length: 667
      Accept-Language: en-us
      Accept-Encoding: gzip, deflate

      refresh_token=eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIwMGY4OTdlNC03MWVhLTQ3Y2MtOWQ3My1kZmVlNDg3MWQ3ZGIiLCJleHAiOjE0MTMzNjg0NDUsIm5iZiI6MCwiaWF0IjoxNDEzMzY3ODQ1LCJpc3MiOiJzaG9vdC1yZWFsbSIsInN1YiI6IjYzNDg2MzA3LWUzNTUtNDAyMS1hNjRlLTk1ODFiZmNmNWFlMSIsInR5cCI6IlJFRlJFU0giLCJhenAiOiJzaG9vdC10aGlyZC1wYXJ0eSIsInNlc3Npb25fc3RhdGUiOiJjMWNmNDIzMi02ZjFhLTQ0ODgtOGQzZS1hYzk3OTU5NzhiOWMiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidXNlciJdfSwicmVzb3VyY2VfYWNjZXNzIjp7fX0.Q7KK_5vjqISkhnUVnuyDJzzlTZ-zSxkD6cV759snRPf6XtEGhrwV1l07Anf6Og99VTRNKK7JvPt9Yx-a7Cw9ZlNS88PmqU9HmaFwSx9Olnij0rpclfLbqQuq_nHd5pSV_gq1mygbNuQsOB0BKBEpW51FzvIMbDZt3UyLQzcWNNc&grant_type=refresh_token&client_id=shoot-third-party

      and its response:
      HTTP/1.1 400 Bad Request
      Connection: keep-alive
      X-Powered-By: Undertow/1
      Server: WildFly/8
      Transfer-Encoding: chunked
      Content-Type: application/json
      Date: Wed, 15 Oct 2014 14:16:44 GMT

      {"error":"invalid_grant","error_description":"Refresh token expired"}

      ==> Error linked to KC, from spec not sure a refresh token should expired

      corinnekrych: hello Keyclaok team
      [4:24pm] corinnekrych: I have a question on oauth2 refresh token
      [4:24pm] corinnekrych: i’ve been surprised to get this answer from keyclaok server: "Refresh token expired"
      [4:25pm] corinnekrych: for ex Google refresh token never expired so…
      [4:25pm] corinnekrych: besides default configuration put a very short life for this refresh token, but that;’s good it allows me to see it
      [4:26pm] corinnekrych: so my question is: when you have an app that stored (securely) access and refresh token so that next app usage, you can transparently refresh the tokens
      [4:27pm] corinnekrych: without asking for grant again
      [4:27pm] corinnekrych: how would you deal with refreshing refresh token???\
      [4:29pm] corinnekrych: i thought refresh token were not supposed to expire … http://tools.ietf.org/html/rfc6749#section-10.4

      I think this

      Attachments

        Activity

          People

            Unassigned Unassigned
            corinnekrych_jira Corinne Krych (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: