Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OidcClient has failed to complete the refresh_token grant request: "error_description":"Refresh token expired" #21873

Closed
tttomat19 opened this issue Dec 2, 2021 · 3 comments · Fixed by #21924
Closed

OidcClient has failed to complete the refresh_token grant request: "error_description":"Refresh token expired" #21873

tttomat19 opened this issue Dec 2, 2021 · 3 comments · Fixed by #21924
Assignees
@sberyozkin
Labels
area/oidc kind/bug Something isn't working
Milestone
2.5.2.Final

Comments

@tttomat19
Copy link
Contributor

Describe the bug

It seems like there's no processing of expired refresh_tokens implemented. So "refresh token expired" error appears and oidc-client is unable to get new access_token.

Expected behavior

OidcClient could have some refresh_token processing logic.

  1. Test refresh_token for being expired
  2. If true , get new refresh_token, await
  3. If got new refresh_token, then get new access_token

Actual behavior

oidc-client is unable to get new access_token with stale refresh_token , and refresh_token itself is not requested.

How to Reproduce?

rest-client + oidc-client (via OidcClientRequestFilter) + keycloak 12hrs refresh_token exp.

https://github.com/tttomat19/quarkus-quickstarts/tree/main/rest-client-quickstart

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response
@tttomat19 tttomat19 added the kind/bug Something isn't working label Dec 2, 2021
@quarkus-bot quarkus-bot bot added the area/oidc label Dec 2, 2021
@quarkus-bot
Copy link

quarkus-bot bot commented Dec 2, 2021

/cc @pedroigor, @sberyozkin

@sberyozkin
Copy link
Member

sberyozkin commented Dec 2, 2021
edited
Loading

@tttomat19 I think the grant request has to be repeated if RT has expired - it is already done if AT has expired but no RT is available - so the condition here needs to be tweaked a bit - if AT has expired then do a new grant request if no RT is available or RT has expired.
The problem is, there is no standard RT expiry property - RT is supposed to be long-lived. If it is in a JWT format then it can be deduced but there is no chance for a binary RT which is the case in most cases.
As such I'd not qualify it as a bug. I guess we can add a new property to check the RT expiry time - assuming the provider you are dealing with returns such a property

@sberyozkin
Copy link
Member

I see this is Keycloak, should be fine

@sberyozkin sberyozkin self-assigned this Dec 2, 2021
@sberyozkin sberyozkin mentioned this issue Dec 3, 2021
Merged
@quarkus-bot quarkus-bot bot added this to the 2.6 - main milestone Dec 3, 2021
@gsmet gsmet modified the milestones: 2.6.0.CR1, 2.5.2.Final Dec 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sberyozkin sberyozkin

Labels
area/oidc kind/bug Something isn't working
Projects
None yet
Milestone
2.5.2.Final
Development

Successfully merging a pull request may close this issue.

Repeat the grant request if OidcClient refresh token has expired sberyozkin/quarkus
3 participants
@sberyozkin @gsmet @tttomat19