Hey,
without going too much into the details, my setup is as follows:
- using Keycloak 12.0.4 (standalone-ha.xml)
- deployed with bitnami helm chart
– 3 replicas
– Infinispan cache set to 3 owners
– one node at a time gets restarted on deployment (at least one node is always running!)
Let’s say client A is a public client and uses the password grand_type. Everything works as expected and even if one node dies the user sessions will still be active and the users won’t even notice.
Whenever all nodes are being restarted (still one by one, to prevent all nodes being down at the same time) the application cannot request a new access token using a refresh token it obtained before the restart happened. Keycloak returns an error saying the session is not active.
I’ve tried a workaround by using the offline session (since it gets stored in the database and not the cache) but I get a similar behaviour with an error saying offline user session could not be found .
The session does exist in the database and the entry has not changed significantly after it’s initial creation.
After long troubleshooting sessions I’ve found the root of the problem which is a combination of the Access Type and Standard Flow Enabled fields. I get the expected behaviour (of the session being active and found) when I set the Access Type of the client to confidential and set the Standard Flow Enabled to true.
Can anyone confirm this behaviour?
Is it me not understanding Keycloak/OIDC or does that seem to be a bug?