Keycloak Offline User Session not found

7/7/2021

I have Keycloak 12.0.4 running on 3 nodes in a kubernetes cluster. Whenever I deploy changes the nodes get restarted one by one. All nodes are owners in regards to the Infinispan cache. Everytime that happens all of the offline sessions cannot be found anymore. Imagine the following:

  1. User logs in and gets their tokens
  2. User is idle for some time and the access token expires
  3. Uppon user interaction the client realizes it and requests a new access token with the existing refresh token
  4. Keycloak issues a new access token and refresh token
  5. User goes idle again
  6. A deployment happens and all nodes get restarted eventually
  7. Uppon user interaction the client realizes again that the access token expired and requests a new one
  8. Keycloak responds with {"error":"invalid_grant","error_description":"Offline user session not found"}
  9. User has to log in again and everything works until the next deployment

(I've listed step 3 and 4 only to mention that the process of refreshing a token does work!)

Does anyone know why this happens? I'm using a MSSQL database and I can even see the offline user session in the table. I can also see the session when I log into the admin dashboard and check the offline sessions.

I've found this which describes a similar problem but it didn't help either.

The Keycloak documentation mentiones that Keycloak preloads all offline sessions on server startup. I don't have this option disabled.

I've also checked the lifetimes on all tokens and as long as the server doesn't restart, everything works as expected.

Does anyone have an idea on why this could happen?

Thanks in advance!

-- Flo
keycloak
kubernetes
oauth-2.0

0 Answers