[bitnami/keycloak] Hit REFRESH_TOKEN_ERROR error after upgrade from bitnami/keycloak 21.0.0 to 22.2.5

weim3ng commented 1 month ago

Name and Version

bitnami/keycloak 22.2.5

What architecture are you using?

amd64

What steps will reproduce the bug?

Upgrade from bitnami/keycloak 21.0.0 to 22.2.5
Environment - azure aks with Kubernetes version v 1.28.5
Run - Login with Angular Web Application which is using keycloak-angular package
Get 400 bad request from /realms/master/protocol/openid-connect/token with below form data

Request form data

grant_type=refresh_token&refresh_token=xxxxxxxx&client_id=security-admin-console

Response

{
    "error": "invalid_grant",
    "error_description": "Token is not active"
}

Error in keycloak log

2024-09-19 07:46:13,669 WARN [org.keycloak.events] (executor-thread-1) type="REFRESH_TOKEN_ERROR", realmId="f015a8e5-5478-4c9b-80b5-de1c580c3565", realmName="xxxxx", clientId="xxxx", userId="null", ipAddress="10.3.4.133", error="invalid_token", reason="Invalid refresh token", grant_type="refresh_token", client_auth_method="client-secret" 2024-09-19 07:46:13,669 DEBUG [WebApplicationException] (executor-thread-1) Restarting handler chain for exception exception: org.keycloak.services.CorsErrorResponseException: invalid_grant at org.keycloak.protocol.oidc.grants.RefreshTokenGrantType.process(RefreshTokenGrantType.java:101) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:140) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint$quarkusrestinvoker$processGrantRequest_6408e15340992839b66447750c221d9aaa837bd7.invoke(Unknown Source) at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29) at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141) at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147) at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582) at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538) at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29) at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:1583)


### Are you using any custom parameters or values?

_No response_

### What is the expected behavior?

Able to login successfully as in bitnami/keycloak 21.0.0 version

### What do you see instead?

1. Get 400 bad request from /realms/master/protocol/openid-connect/token with below form data

- Request form data

grant_type=refresh_token&refresh_token=xxxxxxxx&client_id=security-admin-console


- Response

```json
{
    "error": "invalid_grant",
    "error_description": "Token is not active"
}

Error in keycloak log

2024-09-19 07:46:13,669 WARN [org.keycloak.events] (executor-thread-1) type="REFRESH_TOKEN_ERROR", realmId="f015a8e5-5478-4c9b-80b5-de1c580c3565", realmName="acme2-perf", clientId="dms", userId="null", ipAddress="10.3.4.133", error="invalid_token", reason="Invalid refresh token", grant_type="refresh_token", client_auth_method="client-secret" 2024-09-19 07:46:13,669 DEBUG [WebApplicationException] (executor-thread-1) Restarting handler chain for exception exception: org.keycloak.services.CorsErrorResponseException: invalid_grant at org.keycloak.protocol.oidc.grants.RefreshTokenGrantType.process(RefreshTokenGrantType.java:101) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:140) at org.keycloak.protocol.oidc.endpoints.TokenEndpoint$quarkusrestinvoker$processGrantRequest_6408e15340992839b66447750c221d9aaa837bd7.invoke(Unknown Source) at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29) at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141) at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147) at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582) at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538) at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29) at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.base/java.lang.Thread.run(Thread.java:1583)


### Additional information

yaml file
``` yaml
image:
  debug: true

auth:
  adminUser: ${KEYCLOAK_ADMIN_USER}
  adminPassword: ${KEYCLOAK_ADMIN_PASSWORD}

postgresql:
  enabled: false

externalDatabase:
  host: ${DB_HOST}
  port: 1433
  database: ${DB_NAME}
  user: ${DB_USER}
  password: ${DB_PASSWORD}

cache:
  enabled: true

production: true

proxy: edge

extraStartupArgs: "--spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true --spi-sticky-session-encoder-infinispan-should-attach-route=true"

extraEnvVars:
  - name: KEYCLOAK_LOG_LEVEL
    value: DEBUG
  - name: QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY
    value: "true"
  - name: QUARKUS_TRANSACTION_MANAGER_OBJECT_STORE_DIRECTORY
    value: "/opt/bitnami/keycloak/objectstore"
  - name: PROXY_ADDRESS_FORWARDING
    value: "true"
  - name: KC_DB
    value: "mssql"
  - name: KC_DB_URL
    value: "jdbc:sqlserver://${DB_HOST}:1433;databaseName=${DB_NAME};encrypt=true;trustServerCertificate=false;loginTimeout=30;sendStringParametersAsUnicode=false;"
  - name: KC_TRANSACTION_XA_ENABLED
    value: "false"

replicaCount: 2

resources:
  requests:
    cpu: 384m
    memory: 1536Mi
  limits:
    cpu: 500m
    memory: 2048Mi

livenessProbe:
  enabled: true
  initialDelaySeconds: 300
  periodSeconds: 1
  timeoutSeconds: 5
  failureThreshold: 3
  successThreshold: 1

readinessProbe:
  enabled: true
  initialDelaySeconds: 30
  periodSeconds: 10
  timeoutSeconds: 1
  failureThreshold: 3
  successThreshold: 1

startupProbe:
  enabled: false
  initialDelaySeconds: 30
  periodSeconds: 5
  timeoutSeconds: 1
  failureThreshold: 60
  successThreshold: 1

nodeSelector:
  application: "yes"

extraVolumeMounts:
  - mountPath: /opt/bitnami/keycloak/themes/dms
    name: theme
  - mountPath: /opt/bitnami/keycloak/objectstore
    name: objectstore

extraVolumes:
  - name: theme
  - name: objectstore

service:
  type: ClusterIP
  sessionAffinity: ClientIP
  sessionAffinityConfig:
    clientIP:
      timeoutSeconds: 10800

ingress:
  annotations:
    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
    nginx.ingress.kubernetes.io/cors-allow-methods: "*"
    nginx.ingress.kubernetes.io/cors-allow-origin: "https://*.xxx.xxxxxxxx.com, http://localhost:4200" 
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/proxy-buffer-size: 12k
  hostname: ${KEYCLOAK_INGRESS_HOST}
  ingressClassName: nginx-internal
  tls: true

pdb:
  create: true
  minAvailable: 1

logging:
  output: default
  level: INFO

javsalgar commented 1 month ago

Hi,

It seems that you performed an upgrade between two major Keycloak versions. It is not clear to me whether it is an issue with the Bitnami packaging of Keycloak or an issue in the application itself. Did you check with the upstream Keycloak devs?

github-actions[bot] commented 1 month ago

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions[bot] commented 1 month ago

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

bitnami / charts