Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-9826

"Stale Token" ERROR on RPT refresh_token

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 4.8.3.Final
    • Fix Version/s: None
    • Labels:
    • Environment:

      Tomcat J2EE application with Keycloak Tomcat adapter.
      UMA flow is used to access services and user's resources.

    • Story Points:
      2
    • Steps to Reproduce:
      Hide

      1) User login.
      2) Access UMA protected resource, parse UMA ticket, use ticket and uma grant_type to get RPT token. Save access and refresh tokens!
      3) Access protected resource (repeat step 2 if needed)
      4) When RPT access_token expires, use RPT refresh token and call /token endpint. Save new access and new refresh token.
      5) Enable "Revoke Refresh Token".
      6) Refresh of RPT token is rejected with error 400.

      Show
      1) User login. 2) Access UMA protected resource, parse UMA ticket, use ticket and uma grant_type to get RPT token. Save access and refresh tokens! 3) Access protected resource (repeat step 2 if needed) 4) When RPT access_token expires, use RPT refresh token and call /token endpint. Save new access and new refresh token. 5) Enable "Revoke Refresh Token". 6) Refresh of RPT token is rejected with error 400.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      J2EE application is protected with Tomcat adapater. Application uses RPT access_token and refresh_token to access user's resources on other services.
      When RPT token expires, an jax.rs.Client is used to refresh RPT access_token with refresh_token on Keycloak.

      Request is
      +++
      > POST http://SERVER_NAME/auth/realms/moj-petrol/protocol/openid-connect/token
      > Accept: application/json
      > Content-Type: application/x-www-form-urlencoded
      client_id=moj-petrol-web&client_secret=978XXXXXXXXXXXXXXXXXX738df&grant_type=refresh_token&refresh_token=eyJhbGciOiJIUzI1N..................Aw78WgfTNoVHP-UQCkMesB4eWJ-c4
      +++

      Keycloak returns new RPT tokens.

      Only when "Revoke Refresh Token" is enabled, Keycloak fails to refresh RPT tokens.
      See image Stale-Token-Revoke-Refresh-Token.png
      +++
      < 400
      < Cache-Control: no-store
      < Content-Length: 59
      < Content-Type: application/json
      < Date: Wed, 12 Dec 2018 16:52:20 GMT
      < Pragma: no-cache

      {"error":"invalid_grant","error_description":"Stale token"}

      +++

      See Stale-Token-Code.png for condition that fails to refresh RPT token.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                klemenki Klemen Kisel
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: