Increase in refresh_token_errors after upgrade from 15.1.1 to 16.1.1

We recently upgraded our Keycloak from 15.1.1 to 16.1.1. Ever since we performed the upgrade we’ve started seeing warnings in Keycloak’s logs with the event name REFRESH_TOKEN_ERROR with error=invalid_token.

We haven’t had any reports that users are getting unexpectedly logged out or any other trouble that may be related to the error message.

Is this something we should be concerned about?

Does anybody know of a change in Keycloak 16 that might explain this?

Thanks!

It turns out this was a symptom of a problem with the clients. The clients were prematurely logging themselves out due to a misunderstanding of how to use the AppAuth libraries when the device is offline. Then they would attempt to use the refresh token after they had ended there session thus causing the REFRESH_TOKEN_ERROR.

If anybody bumps else bumps into something similar check to see if a LOGOUT event happens before the REFRESH_TOKEN_ERROR. Depending on your logging system it may take some fiddling to relate the two together :sweat_smile:.

The issue we had with the AppAuth library is that when the device is offline attempting to use the token throws an exception. This sample from the AppAuth-Android repo shows how an exception is thrown if something goes wrong with a request using a fresh token.

authState.performActionWithFreshTokens(service, new AuthStateAction() {
  @Override public void execute(
      String accessToken,
      String idToken,
      AuthorizationException ex) {
    if (ex != null) {
      // negotiation for fresh tokens failed, check ex for more details
      return;
    }

    // use the access token to do something ...
  }
});

The exception triggered a logout in the client then any other requests to refresh the token that were in light caused REFRESH_TOKEN_ERRORS.

1 Like