Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/keycloak] Hit REFRESH_TOKEN_ERROR error after upgrade from bitnami/keycloak 21.0.0 to 22.2.5 #29499

Closed
weim3ng opened this issue Sep 19, 2024 · 3 comments
Closed

[bitnami/keycloak] Hit REFRESH_TOKEN_ERROR error after upgrade from bitnami/keycloak 21.0.0 to 22.2.5 #29499

weim3ng opened this issue Sep 19, 2024 · 3 comments
Assignees
@javsalgar
Labels
keycloak solved stale 15 days without activity tech-issues The user has a technical issue about an application triage Triage is needed

Comments

@weim3ng
Copy link

weim3ng commented Sep 19, 2024

Name and Version

bitnami/keycloak 22.2.5

What architecture are you using?

amd64

What steps will reproduce the bug?

  1. Upgrade from bitnami/keycloak 21.0.0 to 22.2.5
  2. Environment - azure aks with Kubernetes version v 1.28.5
  3. Run - Login with Angular Web Application which is using keycloak-angular package
  4. Get 400 bad request from /realms/master/protocol/openid-connect/token with below form data
  • Request form data
grant_type=refresh_token&refresh_token=xxxxxxxx&client_id=security-admin-console
  • Response
{
    "error": "invalid_grant",
    "error_description": "Token is not active"
}
  1. Error in keycloak log

2024-09-19 07:46:13,669 WARN  [org.keycloak.events] (executor-thread-1) type="REFRESH_TOKEN_ERROR", realmId="f015a8e5-5478-4c9b-80b5-de1c580c3565", realmName="xxxxx", clientId="xxxx", userId="null", ipAddress="10.3.4.133", error="invalid_token", reason="Invalid refresh token", grant_type="refresh_token", client_auth_method="client-secret"
2024-09-19 07:46:13,669 DEBUG [WebApplicationException] (executor-thread-1) Restarting handler chain for exception exception: org.keycloak.services.CorsErrorResponseException: invalid_grant
	at org.keycloak.protocol.oidc.grants.RefreshTokenGrantType.process(RefreshTokenGrantType.java:101)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:140)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint$quarkusrestinvoker$processGrantRequest_6408e15340992839b66447750c221d9aaa837bd7.invoke(Unknown Source)
	at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
	at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:1583)

Are you using any custom parameters or values?

No response

What is the expected behavior?

Able to login successfully as in bitnami/keycloak 21.0.0 version

What do you see instead?

  1. Get 400 bad request from /realms/master/protocol/openid-connect/token with below form data
  • Request form data
grant_type=refresh_token&refresh_token=xxxxxxxx&client_id=security-admin-console
  • Response
{
    "error": "invalid_grant",
    "error_description": "Token is not active"
}
  1. Error in keycloak log

2024-09-19 07:46:13,669 WARN  [org.keycloak.events] (executor-thread-1) type="REFRESH_TOKEN_ERROR", realmId="f015a8e5-5478-4c9b-80b5-de1c580c3565", realmName="acme2-perf", clientId="dms", userId="null", ipAddress="10.3.4.133", error="invalid_token", reason="Invalid refresh token", grant_type="refresh_token", client_auth_method="client-secret"
2024-09-19 07:46:13,669 DEBUG [WebApplicationException] (executor-thread-1) Restarting handler chain for exception exception: org.keycloak.services.CorsErrorResponseException: invalid_grant
	at org.keycloak.protocol.oidc.grants.RefreshTokenGrantType.process(RefreshTokenGrantType.java:101)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:140)
	at org.keycloak.protocol.oidc.endpoints.TokenEndpoint$quarkusrestinvoker$processGrantRequest_6408e15340992839b66447750c221d9aaa837bd7.invoke(Unknown Source)
	at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
	at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
	at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
	at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
	at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
	at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
	at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:1583)

Additional information

yaml file

image:
  debug: true

auth:
  adminUser: ${KEYCLOAK_ADMIN_USER}
  adminPassword: ${KEYCLOAK_ADMIN_PASSWORD}

postgresql:
  enabled: false

externalDatabase:
  host: ${DB_HOST}
  port: 1433
  database: ${DB_NAME}
  user: ${DB_USER}
  password: ${DB_PASSWORD}

cache:
  enabled: true

production: true

proxy: edge

extraStartupArgs: "--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true --spi-sticky-session-encoder-infinispan-should-attach-route=true"

extraEnvVars:
  - name: KEYCLOAK_LOG_LEVEL
    value: DEBUG
  - name: QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY
    value: "true"
  - name: QUARKUS_TRANSACTION_MANAGER_OBJECT_STORE_DIRECTORY
    value: "/opt/bitnami/keycloak/objectstore"
  - name: PROXY_ADDRESS_FORWARDING
    value: "true"
  - name: KC_DB
    value: "mssql"
  - name: KC_DB_URL
    value: "jdbc:sqlserver://${DB_HOST}:1433;databaseName=${DB_NAME};encrypt=true;trustServerCertificate=false;loginTimeout=30;sendStringParametersAsUnicode=false;"
  - name: KC_TRANSACTION_XA_ENABLED
    value: "false"

replicaCount: 2

resources:
  requests:
    cpu: 384m
    memory: 1536Mi
  limits:
    cpu: 500m
    memory: 2048Mi

livenessProbe:
  enabled: true
  initialDelaySeconds: 300
  periodSeconds: 1
  timeoutSeconds: 5
  failureThreshold: 3
  successThreshold: 1

readinessProbe:
  enabled: true
  initialDelaySeconds: 30
  periodSeconds: 10
  timeoutSeconds: 1
  failureThreshold: 3
  successThreshold: 1

startupProbe:
  enabled: false
  initialDelaySeconds: 30
  periodSeconds: 5
  timeoutSeconds: 1
  failureThreshold: 60
  successThreshold: 1

nodeSelector:
  application: "yes"

extraVolumeMounts:
  - mountPath: /opt/bitnami/keycloak/themes/dms
    name: theme
  - mountPath: /opt/bitnami/keycloak/objectstore
    name: objectstore

extraVolumes:
  - name: theme
  - name: objectstore

service:
  type: ClusterIP
  sessionAffinity: ClientIP
  sessionAffinityConfig:
    clientIP:
      timeoutSeconds: 10800

ingress:
  annotations:
    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
    nginx.ingress.kubernetes.io/cors-allow-methods: "*"
    nginx.ingress.kubernetes.io/cors-allow-origin: "https://*.xxx.xxxxxxxx.com, http://localhost:4200" 
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/proxy-buffer-size: 12k
  hostname: ${KEYCLOAK_INGRESS_HOST}
  ingressClassName: nginx-internal
  tls: true

pdb:
  create: true
  minAvailable: 1

logging:
  output: default
  level: INFO
@weim3ng weim3ng added the tech-issues The user has a technical issue about an application label Sep 19, 2024
@github-actions github-actions bot added the triage Triage is needed label Sep 19, 2024
@javsalgar javsalgar changed the title Hit REFRESH_TOKEN_ERROR error after upgrade from bitnami/keycloak 21.0.0 to 22.2.5 [bitnami/keycloak] Hit REFRESH_TOKEN_ERROR error after upgrade from bitnami/keycloak 21.0.0 to 22.2.5 Sep 23, 2024
@javsalgar
Copy link
Contributor

Hi,

It seems that you performed an upgrade between two major Keycloak versions. It is not clear to me whether it is an issue with the Bitnami packaging of Keycloak or an issue in the application itself. Did you check with the upstream Keycloak devs?

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 9, 2024

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

@github-actions github-actions bot added the stale 15 days without activity label Oct 9, 2024
@github-actions GitHub Actions
Copy link

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

@bitnami-bot bitnami-bot closed this as not planned Won't fix, can't repro, duplicate, stale Oct 14, 2024
@javsalgar javsalgar mentioned this issue Oct 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@javsalgar javsalgar

Labels
keycloak solved stale 15 days without activity tech-issues The user has a technical issue about an application triage Triage is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@javsalgar @bitnami-bot @weim3ng