Handling OpenID session timeouts / stale refreshToken #17851
dasantonym
announced in
Archive
Replies: 1 comment 9 replies
-
There is code that should handle this, but it's possible there is an edge case with Keycloak. When attempting to login with an invalid refresh token, the provider should trigger an "invalid_grant" error which is caught and re-triggers a login with a "prompt=consent" parameter, which should in theory trigger a full re-authorization which should return a new refresh token. https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L331 I guess Keycloak isn't returning a refresh token on prompt. A temporary fix would be to increase the keycloak lifetime on refresh tokens by increasing the idle limits. |
Beta Was this translation helpful? Give feedback.
9 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I have an instance of Directus running with Keycloak OpenID authentication enabled. Everything is working fine, except that there is a problem with expired tokens being stored in the DB.
Here's what's happening:
auth_data
for the user is set using therefreshToken
from Keycloak.refreshToken
from the DB, which then fails.I added code to the
refresh(user)
function in theOpenIDAuthDriver
class that removes the staleauth_data
, if aninvalid_grant
error occurs and now I no longer have this problem.I am not sure if I've got something set up wrong here or if this is a bug... Should this go into an issue or should I do something differently?
Beta Was this translation helpful? Give feedback.
All reactions