CODEWITHSUNDEEP
oauthoauth-2.0postmankeycloak
Jojo
Jojo

Reputation: 23

Refreshing Keycloak offline token

I am currently trying to get an offline token working with Keycloak. My problem here is, that I cannot refresh a token I once reveived..

When I initially call the token endpoint, I get a proper response with a working access token:

{
  "access_token": "<access-token>",
  "expires_in": 900,
  "refresh_expires_in": 0,
  "refresh_token": "<refresh-token>",
  "token_type": "bearer",
  "not-before-policy": 1539890980,
  "session_state": "a178faf2-xxxx-xxxx-xxxx-fb16548b6805",
  "scope": "email profile offline_access"
}

Then, I try to refresh the token using

curl -X POST \
  https://<my-url>/auth/realms/<realm>/protocol/openid-connect/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'cache-control: no-cache' \
  -d 'client_id=<client-id>
  -d 'refresh_token=<refresh-token>
  -d 'grant_type=refresh_token'

I receive the following error:

{
  "error": "invalid_grant",
  "error_description": "Offline session not active"
}

I looked at Keycloaks Jira issues and this doesn't seem to be a known issue. Can anyone help me getting the offline token running? Is there any special trick? Appreciate your help!

Upvotes: 2

Views: 8813

Answers (1)

Jerry Saravia
Jerry Saravia

Reputation: 3837

Make sure your realm settings have a value greater than 0 for offline sessions. They have a separate lifetime than normal sessions.

By default I think it's set to 30 days but just double check.

Then check realm settings to see if re-use of refresh tokens is allowed as well. If you disabled re-use of tokens then make sure you don't use a refresh token more than once.

If re-use is turned off then I've got nothing that comes to mind right now. I've only seen your error when the token expires.

Upvotes: 1

Related Questions