Refresh_token_error

Hi,

Following problem. I am requesting an offline access token with the addidional scope “offline_access”. The access token has a short validity. The refres/offline token do not expire. If we request a new access token with the offline token (grant type “refresh_token”) it sometimes happen that the token is no longer valid. How do keycloak store the offline token id’s ? Is it possible that keycloak is storing this tokens only in memory and only the offline sessions are perisiting in the database? I would assume that when I request an offline access token, the offline token id is also stored in the database. How do I make sure that the offline token remains valid if, for example, I have restarted the entire cluster? I found in the database the tables “offline_client_session” and “offline_user_session” but i did not found any informations about the still valid offline tokens? I suspect that these are not persisted at all.

Thx and best regards

Hi,

Keycloak stores user/client sessions and offline user/client sessions in memory (caches) and offline user/client sessions are also persisted in a database. When you restart Keycloak cluster, content of the caches will be gone and then it depends on whether you have offline sessions pre-loading enabled (disabled since Keycloak 17, offline sessions are lazy loaded from a DB). If pre-loading is enabled, offline sessions are loaded into the caches during startup.

Hard to say from your description why you see refresh token errors. I would double check lifespan configuration of your offline sessions and check logs for any errors/warnings.

Regards,

Martin