Refresh token (offline_access scope) affected by session idle/session max

Hello there.

My keycloak configured with:

SSO Session Idle = 30m
SSO Session Max = 30m

And my refresh token with offline_access scope has interesting lifetime:

  • If the client inactive for more than 30m, then when I use the refresh token to fetch new access token keycloak’s response is:
{
  "error": "invalid_grant",
  "error_description": "Session doesn't have required client"
}
  • If the client do at least one authentication request within 30m span then keycloack successfully provide me with new accept token and works fine until previous scenario happens.

According to the documentation refresh token with offline scope shouldn’t be affected by any of session idle/max.

Any ideas?

Keycloak version 14.0.0

Refresh token from keycloak is correct one:

{
  "iat": 1640106070,
  "jti": "{id}",
  "iss": "{my keycloack}",
  "aud": "{my keycloack},
  "sub": "{id},
  "typ": "Offline",
  "azp": "{my client}",
  "session_state": "{id}",
  "scope": "openid offline_access"
}

Appears to be a bug on keycloak UI Refresh token with offline_access scope affected by session idle/session max · Issue #9299 · keycloak/keycloak · GitHub.