[OAuth][Keycloak] invalid_grant session not active when trying to use refresh_token

Question

I'm trying to refresh the oauth2 token using ClientOAuth2.Token.refresh() but keep getting the error sometimes: {"error":"invalid_grant","error_description":"Session not active"}

This is the request which I captured by Fiddler

POST [URL]= HTTP/1.1
Host: [URL]
Connection: keep-alive
Content-Length: 2250
Accept: application/json, application/x-www-form-urlencoded
Origin: http://localhost:8080
Authorization: Basic YXNpbW92LWRldi1laGlzLXdlYjo=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Sec-Fetch-Mode: cors
Content-Type: application/x-www-form-urlencoded
Sec-Fetch-Site: cross-site
Referer: http://localhost:8080/
Accept-Encoding: gzip, deflate, br
Accept-Language: en,vi;q=0.9,de;q=0.8,vi-VN;q=0.7,en-US;q=0.6,en-AU;q=0.5

refresh_token=[token]&grant_type=refresh_token

Maybe somethings wrong with my setting on KeyCloak account. Are there any suggestions?

Answer 1

You can edited your cache-ispn.xml in conf folder to limit offline session caches to size as you required like below

<distributed-cache name="offlineSessions" owners="2">
    <memory max-count="2"/>
    <expiration lifespan="-1"/>
</distributed-cache>
<distributed-cache name="offlineClientSessions" owners="2">
     <memory max-count="2"/>
     <expiration lifespan="-1"/>
</distributed-cache>

Reference from here

Answer 2

You need to add the scope offline_access when retrieving the original token, otherwise you won't be able to refresh it when the related user session is not active (this is specific to OIDC, not oauth2).

Answer 3

Could be that your refresh token grant message is incomplete - missing a client ID or offline access scope - see the Refresh Token Grant section of my article on OAuth messages.

Answer 4

It is because you are logged out from you client application. That's why it giving you the error.