Offline token invalid but not expired

Getting advice
,
1

Hi,

I have a problem with offline tokens. Some of them expire well before the limit. My offline tokens have an expiration period of 190 days (Offline Session Idle = 190d and Offline Session Max = 190d). To obtain them, my user goes through the authorization code grant flow and consents. The tokens are stored in a database and exchanged for access tokens with a client_id client_secret.

my users sometimes have this error that I cannot explain :

{
    "error": "invalid_grant",
    "error_description": "Session doesn't have required client"
}

I’m running keycloak 15.1.1 on a Kubernetes cluster of 3 nodes. The CACHE_OWNER parameter is 2
I’m using lazy loading Offline token with this setting :

<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
    ...
    <spi name="userSessions">
        <default-provider>infinispan</default-provider>
        <provider name="infinispan" enabled="true">
            <properties>
                <property name="preloadOfflineSessionsFromDatabase" value="false"/>
            </properties>
        </provider>
    </spi>
    ...
</subsystem>

An idea ?

Thanks

Sebastien

2

Hi,

The problem is solved and it was indeed a cache problem. The CACHE_OWNER parameter was the cause. We were losing sessions during the rolling update phase.

https://www.keycloak.org/docs/latest/server_installation/#_replication

Thanks for your help,

Best regards

Sébastien

3

Hi @sebaclaudel, we ar e having same issue.

Today we have 4 nodes and 2 CACHE_OWNER, and we’re having that errors for sessions doesn’t have required clients.

After reading the documentation we have some questions.

You resolve by increasing cache_owner? How many nodes you have in your environment and how much CACHE_OWNER’s have you configured?

4

Hi,
We solved this by increasing the CACHE_OWNER number. To avoid any problems, we set CACHE_OWNER = Nodes.

1 Like