Access Token expires when using AWS Load Balancer with OIDC and Keycloak

Question

We run the following setup:

• AWS Load Balancer (ALB) with Listener configured to authenticate requests via OIDC. Our OIDC Server is Keycloak
• When authentication completed, the request is forwarded to our nginx, acting as Reverse Proxy.
• Frontends are stored in AWS S3 and proxied through the nginx.

This work as expected (fine).

Our problem occurs when calling our backend services from the Webbrowser.

For example:

setInterval(() => {
    var xhr = new XMLHttpRequest();
    xhr.open('GET', 'https://our-backend-api-via.reverse.proxy.com');
    xhr.send();
}, 1000);

This works fine until the AccessToken is expired (60s). Then our backend will see that the token is expired and returns HTTP 401 for multiple times.. after a while (20 seconds) a new AccessToken is received and the backends responses fine.

The process of getting new accessToken via AWS ALB seems to be a blackbox for us, we cannot explain why expired accessTokens are send to our backends, shouldn't the AWS ALB renew the token in time?

Answer 1

It was an implementation error. We have used the original JWT provided from Keycloak to verify the expiration time.

The correct way is to use the token provided by alb via x-oidc-amazon-data header.

Answer 2

You have wrong infra for your use case. ALB OIDC auth is intended for webapps. Your case looks like a SPA = frontend in the browser will be responsible to manage auth state = it will be watching token validity and it will trigger token refresh before token expiration,...