Replies: 7 comments 7 replies
-
I'd need to see the server debug logs and the config to be able to analyze why the refresh is in progress |
Beta Was this translation helpful? Give feedback.
-
Hi @zandbelt, And now there is no log entries any more and the session cookie gets refreshed as expected. Best regrads, |
Beta Was this translation helpful? Give feedback.
-
I see, thanks: special handling for the "logout_on_error" case would be more appropriate indeed, something we'll add in the next release |
Beta Was this translation helpful? Give feedback.
-
Hi Hans, [Wed Oct 25 09:48:27.679081 2023] [auth_openidc:warn] [pid 11:tid 139725008529152] [client :49444] oidc_refresh_token_grant: refresh token routine called but existing parallel refresh is in progress, referer: https://.../index.html?force=18b659fd5d3 The only difference was / is that I was using two different user and the keycloak showed the session of the user (with the error) as active. |
Beta Was this translation helpful? Give feedback.
-
We recently upgraded to mod_auth_openidc 2.4.14.4 and are seeing similar errors on a number of services where I am not sure I understand the issue exactly. Is a user not allowed to be logged-in in multiple, separate browsers as described here: #1132 (reply in thread)? To me, this seems like a very common use-case, one we see frequently. Are there other situations, where this error is likely to happen? Is this error caused by a bug in mod_auth_openidc or by a mishandling of access tokens by the IDP? The options Here an example from our error log, the response status was 401:
|
Beta Was this translation helpful? Give feedback.
-
in all cases this does not prevent users from being logged in to two different clients/browsers necessarily but the issue appears when refreshing an access token on >1 parallel calls/servers/browsers and a new refresh token is issued in each parallel request the issue is flagged by mod_auth_openidc since it started to detect and handle this case in a different way: I wouldn't go as far as calling it a bug though since realistically you cannot expect this scenario (parallel refresh) to work in a distributed environment when combined with rolling refresh tokens; however the upcoming release will revert the behaviour as it was before for now I'd stick with an earlier release even though you would end up with different refresh tokens in the 2 clients and one of them should/would not work...; the more deterministic approach (in both cases) is to not renew the refresh token on each access token refresh request |
Beta Was this translation helpful? Give feedback.
-
proper mitigation for parallel refreshes is now in https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.15.3 |
Beta Was this translation helpful? Give feedback.
-
Hi, I am using mod_auth_openidc to authenticate with keycloak 21.1.2.
I updated the the latest versions of:
Now I am not able to refresh tokens any more. I keep getting "refresh token routine called but existing parallel refresh is in progress" and "access_token could not be refreshed" in the apache error log and since the token cannot be refreshed, I am logged out again.
Besides the refresh token issue, authentication works well in my setup.
I started my issuejourney with not encrypting the shm cache. However I recieved the message that the token cannot be cached because of the size. Same happens with file based cache. file to large. The issue is that the complete jwt seems to be the key.
I found some blogs about fixing this by encrypting the cache. That worked to get rid of the error messages about the cache. Now I am facing the issue with the refresh token.
Is there something I am missing?
With the older following versions I did not have these issues:
Beta Was this translation helpful? Give feedback.
All reactions