Offline token and active session max

Hi,

I want to make an app logged with an offline token.

const config = {
    clientId: "CLIENT", promiseType: "native"
    realm: "dev", scope: "offline_access",
    url: "https://XXX/auth",
    refreshToken: this.getOfflineToken()
}
this.keycloak.init(config).then((authenticated) => {
    if (!authenticated) {
        this.keycloak.login(config)
    }
}).catch((a) => {
    console.error(a)
})

this.keycloak.onAuthSuccess = () => {
    this.setStorageOfflineToken()
}
  1. At first login, config.refreshToken is not set, so authenticated = false
  2. I do login()
  3. Go back in my app, and authenticated = true !
  4. At each refresh tokens, offline token is set in localstorage
  5. At second login, config.refreshToken is an offline refresh token, so authenticated = true !

And, when the active session is finished, I’m disconnected

I test with a short SSO Session Max (2 mins) and I need to re-log with login/password after this 2 mins.
In the admin tab, the offline session is still active.

It looks like this issue https://issues.redhat.com/browse/KEYCLOAK-4201
And in documentation "an offline token will never expire by default and is not subject of the SSO Session Idle timeout and SSO Session Max lifespan" https://www.keycloak.org/docs/latest/server_admin/index.html#_offline-access

We can’t have unlimited active session ?
It’s a bug ? Or I misunderstood something?

Thank you for your help.

I try with curl :

KC_REALM=dev
KC_CLIENT=client
USERNAME=plok
PASSWORD=plok

refresh_token=`curl -k \
-d "client_id=$KC_CLIENT" \
-d "username=$USERNAME" \
-d "password=$PASSWORD" \
-d "grant_type=password" \
-d "scope=openid info offline_access" \
https://localhost:8080/auth/realms/$KC_REALM/protocol/openid-connect/token | jq -r '.refresh_token'` 

echo $refresh_token

while (true)
do
echo '\n\n\n'
curl -k \
 -d "client_id=$KC_CLIENT" \
 -d "grant_type=refresh_token" https://localhost:8080/auth/realms/$KC_REALM/protocol/openid-connect/token \
 -d "refresh_token=$refresh_token" | jq
echo `date`
sleep 10s
done

And I don’t have this problem, the active session is not deleted.

Jira issue https://issues.redhat.com/projects/KEYCLOAK/issues/KEYCLOAK-14319

And it’s officially a bug.

1 Like