Hi there,

We recently began using Keycloak to issue access tokens using the OIDC Authorization Code flow, and have a custom app written in Golang which handles the flow/callbacks and saves the resulting access token as a cookie in the user’s browser. This app also has built in logic to request a new access token when the existing token in the cookie expires (after 12 hours).

This seems to work well most of the time, however occasionally we notice that an already logged in user (aka they have a login session with keycloak) receives an access token that is already expired from keycloak (that is, it’s exp time is in the past). This token obviously fails to validate and we return an error to users.

The only workaround we have currently is clearing all cookies for our Keycloak instance, so I suspect it is somehow tied to longer-running Keycloak sessions. Obviously this is not a great user experience, having to ask users to repeatedly clear cookies, so any help would be appreciated!

That’s maybe not that, but have you checked that the Keycloak server time is fine (like ntpd synchronised) ?

Note that a client (browser) with a bad time synchronisation could also receive expired tokens.

Yep I confirmed that the Keycloak server time is correct, and it is happening to multiple clients, all of whom have correct time

So upon further testing, this seems related to the client’s “Client Session Idle Timeout”.

If I set the Client Session Idle Timeout to something low, like 1 minute, I can see it overrides the “Access Token Lifespan” value as well, and tokens I am issued only are valid for 1 minute. Additionally, if after 1 minute I try to issue a fresh access token, I am instead given an already expired token.

Does anyone know why this is the case? I am concerned that Keycloak’s internal session management is preventing valid tokens from being issued in certain cases.