Spring Boot returns 403 after session timeout

We have a spring boot application secured via Keycloak behind a nginx proxy. The Keycloak is hosted as a two host clustered standalone-ha environment.

Everything works as expected but if the user is inactive longer than Client Session Max configuration (here 10 hours) and the user starts any kind of request the server redirects to /sso/login with an 403 error.

The Keycloak server logs the following entry:

WARN  [org.keycloak.events] (default task-18283) type=REFRESH_TOKEN_ERROR, realmId=xxx, clientId=yyy, userId=null, ipAddress=XX.XX.XX.XX, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret

The spring boot application itself logs:

RefreshableKeycloakSecurityContext.refreshExpiredToken (124) - Refresh token failure status: 400 {"error":"invalid_grant","error_description":"Token is not active"}

Can you help out here?


1 Like

I have the same problem.
You can resolve this? Any idea?

Thank you

I have opened a ticket and the issue has been resolved in Version 13 of keycloak.

See details here: https://issues.redhat.com/browse/KEYCLOAK-17323

Best regards