Issues with session invalidation

Getting advice
,
1

Hi everyone,

I’m encountering an issue with Keycloak regarding refresh token invalidation and would appreciate any insights.

Background:

  • I have Keycloak set up with a custom user federation plugin for one of my clients, and it’s working well overall. We’re not syncing users over to Keycloak; instead, we only validate them upon login.
  • A new requirement mandates that only one active session per user exists in our application at any given time.
  • Our plan was to implement session limitation using Keycloak, employing short expiry for access tokens and long expiry for refresh tokens, along with a custom authentication flow to terminate older sessions upon user login.
  • We created a custom flow with session termination, but it isn’t functioning as expected.

What We’ve Observed:

  1. In our basic tests—both in our application and via Postman and script—logging in twice allows us to successfully use refresh tokens from both sessions to fetch new access tokens.
  2. The user details page doesn’t list any sessions for that user, yet all sessions appear under the “Sessions” tab in the side panel. These sessions include a link to the user, which then redirects to their session tab displaying an empty list.
  3. Manually revoking the offline session for the app seems to work as intended.

There appears to be a disconnect between what’s shown under user sessions and what’s actually occurring in the sessions panel. Has anyone experienced similar behavior, or do you have any suggestions on what might be going wrong? Any advice on how to properly enforce single active sessions with refresh token invalidation would be greatly appreciated.

Thanks in advance for your help!

2 Likes
2

Have you seen the User Session Count Limit that you can impose in a custom authentication flow? Extend the browser flow. After the required Username/Password form and the conditional OTP form, add a Step “User Session Count Limit”.

3

Hi Carl,

Thank you for your suggestion. Yes, we did just that, we extended the browser flow, direct grant flow, and client authentication flow to include the “User Session Count Limit” step as you mentioned. However, it doesn’t seem to have the desired effect.

I find it perplexing that I can view user events and see that both authentication and refresh token usage are occurring successfully, yet the session tab for that user remains empty.

Any further ideas or configurations we might be missing?

Thanks again for your help!

Screenshot of our extended browser flow
Screenshot of our extended browser flow1499×1730 161 KB

4

Hello everyone,

For anyone reading this in the future, we’ve resolved our issue. We initially assumed that requesting the ‘offline_access’ scope was necessary to obtain a refresh token. However, to our surprise, not including this scope still provided a refresh token, and our user session limitations started working correctly after it was removed.

If you encounter a similar problem, try removing ‘offline_access’ from your scope and ensure it’s not set as a default scope for your client, session limitation might just work after that.

1 Like