Offline token invalid but not expired


I have a problem with offline tokens. Some of them expire well before the limit. My offline tokens have an expiration period of 190 days (Offline Session Idle = 190d and Offline Session Max = 190d). To obtain them, my user goes through the authorization code grant flow and consents. The tokens are stored in a database and exchanged for access tokens with a client_id client_secret.

my users sometimes have this error that I cannot explain :

    "error": "invalid_grant",
    "error_description": "Session doesn't have required client"

I’m running keycloak 15.1.1 on a Kubernetes cluster of 3 nodes. The CACHE_OWNER parameter is 2
I’m using lazy loading Offline token with this setting :

<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
    <spi name="userSessions">
        <provider name="infinispan" enabled="true">
                <property name="preloadOfflineSessionsFromDatabase" value="false"/>

An idea ?




The problem is solved and it was indeed a cache problem. The CACHE_OWNER parameter was the cause. We were losing sessions during the rolling update phase.

Thanks for your help,

Best regards