Sessions not available after server restart when client is public

Hey,

without going too much into the details, my setup is as follows:

  • using Keycloak 12.0.4 (standalone-ha.xml)
  • deployed with bitnami helm chart
    – 3 replicas
    – Infinispan cache set to 3 owners
    – one node at a time gets restarted on deployment (at least one node is always running!)

Let’s say client A is a public client and uses the password grand_type. Everything works as expected and even if one node dies the user sessions will still be active and the users won’t even notice.

Whenever all nodes are being restarted (still one by one, to prevent all nodes being down at the same time) the application cannot request a new access token using a refresh token it obtained before the restart happened. Keycloak returns an error saying the session is not active.
I’ve tried a workaround by using the offline session (since it gets stored in the database and not the cache) but I get a similar behaviour with an error saying offline user session could not be found .
The session does exist in the database and the entry has not changed significantly after it’s initial creation.

After long troubleshooting sessions I’ve found the root of the problem which is a combination of the Access Type and Standard Flow Enabled fields. I get the expected behaviour (of the session being active and found) when I set the Access Type of the client to confidential and set the Standard Flow Enabled to true.

Can anyone confirm this behaviour?
Is it me not understanding Keycloak/OIDC or does that seem to be a bug?

3 Likes

I’ve upgraded to Keycloak 14.0.0 in the meantime and my workaround with using Access Type: confidential and Standard Flow Enabled doesn’t work anymore.
I still have all replicas as owners and when restarting them I can see the sync process in the logs. Using the offline_access scope solves the issue. I’m not 100% sold on that workaround since I’m not providing any “real” offline functionality.
Does anyone have similar issues or is someone using the infinispan cache with multiple owners and it’s working?
I would appreciate you sharing your experience with it!