Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Negative token expiration when changing client session max lifetime #24936

Open
1 task done
sschu opened this issue Nov 22, 2023 · 7 comments · May be fixed by #29013
Open
1 task done

Negative token expiration when changing client session max lifetime #24936

sschu opened this issue Nov 22, 2023 · 7 comments · May be fixed by #29013
Assignees
@rmartinc
Labels
area/oidc Indicates an issue on OIDC area help wanted kind/bug Categorizes a PR related to a bug priority/important Must be worked on very soon status/bumped-by-bot team/core-clients

Comments

@sschu
Copy link
Contributor

sschu commented Nov 22, 2023

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

When adding a client session max limit, Keycloak will generate refresh and access tokens with negative token lifetime.

Version

22.0.5, nightly

Expected behavior

Keycloak creates a new client session and a new token with positive token expiration based on the client session settings.

Actual behavior

Keycloak uses the original start date of the first client session and calculates the expiry date based on the now reduced client session max.

How to Reproduce?

  1. Do an authcode flow to retrieve an access+refresh token.
  2. Enter a client session max of 1 minute in the realm settings.
  3. Wait at least one minute.
  4. Do another authcode flow to retrieve an access+refresh token, both tokens will have expiration date in the past and expires_in is negative in the response.

Anything else?

This is really a corner case, probably not that critical.
@sschu sschu added kind/bug Categorizes a PR related to a bug status/triage labels Nov 22, 2023
@ghost ghost added area/oidc Indicates an issue on OIDC area team/core labels Nov 22, 2023
@douglaspalmer douglaspalmer self-assigned this Jan 29, 2024
@douglaspalmer douglaspalmer added this to the 24.0.0 milestone Jan 29, 2024
douglaspalmer added a commit to douglaspalmer/keycloak that referenced this issue Feb 15, 2024
@douglaspalmer
Negative token expiration when changing client session max lifetime k…
e8b9365 
…eycloak#24936

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
@douglaspalmer
Copy link
Contributor

douglaspalmer commented Feb 15, 2024
edited

I wrote a test to reproduce this but the test is passing. Is this still an issue? Did I miss a step in the test?
douglaspalmer@e8b9365

@sschu
Copy link
Contributor Author

sschu commented Feb 15, 2024
edited

@douglaspalmer
I can still reproduce this on Keycloak 23.0.6, see screenshot
Screenshot 2024-02-15 at 18 09 01
Its easy to reproduce: login to the admin console, change the client session max to 1 minute, wait for 1 minute for access token to expire, click anywhere (the console will get a new token using refresh flow), observe the negative expiration.
The difference to your test is probably that I use a refresh token flow so I am definitely referencing the original client session.

@sschu
Copy link
Contributor Author

sschu commented Feb 15, 2024
edited

Instead of clicking to trigger a refresh flow, you can also reload the page to trigger an authcode flow. The problem also occurs there and sends the admin console into a nasty reload loop:
Screenshot 2024-02-15 at 18 20 36

@douglaspalmer
Copy link
Contributor

@sschu I can reproduce it manually; I'll try to fix the test.

@douglaspalmer douglaspalmer modified the milestones: 24.0.0, 25.0.0 Feb 27, 2024
@douglaspalmer douglaspalmer removed their assignment Feb 29, 2024
@keycloak-github-bot keycloak-github-bot bot removed this from the 25.0.0 milestone Mar 1, 2024
@keycloak-github-bot
Copy link

Due to the amount of issues reported by the community we are not able to prioritise resolving this issue at the moment.

If you are affected by this issue, upvote it by adding a 👍 to the description. We would also welcome a contribution to fix the issue.

@mposolda
Copy link
Contributor

mposolda commented Mar 1, 2024

@sschu This might not be that trivial to fix and at the same time, it is corner case. We don't prioritize this ATM within Keycloak team. But PR is welcome.

@sschu
Copy link
Contributor Author

sschu commented Mar 1, 2024

@mposolda I agree with the priority. I am not even sure what the expected behaviour here is. I would say shortening the session timespans should have a retroactive effect. This means Keycloak should just act as if the session is expired. This might also make it easier to fix this (just respond with an error if the expiration would be negative).

@rmartinc rmartinc self-assigned this Apr 23, 2024
rmartinc added a commit to rmartinc/keycloak that referenced this issue Apr 23, 2024
@rmartinc
Use SessionExpirationUtils for validate user and client sessions
d7606f5 
Check client session is valid in TokenManager
Closes keycloak#24936

Signed-off-by: rmartinc <rmartinc@redhat.com>
@rmartinc rmartinc linked a pull request Apr 23, 2024 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rmartinc rmartinc

Labels
area/oidc Indicates an issue on OIDC area help wanted kind/bug Categorizes a PR related to a bug priority/important Must be worked on very soon status/bumped-by-bot team/core-clients
Projects
None yet
Milestone
No milestone
5 participants
@douglaspalmer @mposolda @stianst @sschu @rmartinc