6

I have an app connected via oauth2-proxy to Keycloak and generally everything runs fine.

Just sometimes I see the following error in the oauth2-proxy logfiles:

unable to redeem refresh token: failed to get token: oauth2: cannot fetch token: 400 Bad Request 
Response: {"error":"invalid_grant","error_description":"Session doesn't have required client"},
removing session.

The corresponding message in the Keycloak logfile is this:

org.keycloak.events
type=REFRESH_TOKEN_ERROR, realmId=xxx, clientId=xxx, userId=f:ce9d954a-de51-48a4-a70b-xxx:xxx, ipAddress=x.x.x.x, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=bb77d7aa-c061-45d4-b2f7-fe938d5537cb, client_auth_method=client-secret

I found the same error message in e.g. What does "Session doesn't have required client" mean? but that problem was for Keycloak 4.x while I'm using the latest 16.1.1. Additionally, I don't use remember-me sessions.

The source code has this message only in oidc/TokenManager.java where problems with "cross-dc environment" are suggested but we don't have a cross datacenter environment, just three instances in the same Kubernetes namespace installed with the latest Helm chart.

What else could possibly cause this problem?

Talha Tayyab
  • 8,111
  • 25
  • 27
  • 44
lathspell
  • 3,040
  • 1
  • 30
  • 49

1 Answers1

0

One reason can be the following (using keycloak 20.0): If you have the option "Revoke Refresh Token" enabled and you have a bug in your application it might happen that your application tries to refresh with an old refresh token. That call will get an error code 400 with the error description "Stale token". (In my case I overlooked that error.) The session will then be revoked. If your application then uses the newest and originally valid refresh token that call will just get the error description: "Session doesn't have required client"

dude
  • 79
  • 6