Error on parallel refresh token

[xavces]

Hello,

We faced an issue about parallel refresh token into an application. During asynchronous call, multiple request is made and when access token was expired, only the first refresh token works and other fail into 401 error.

Keycloak was configured for have only 1 refresh token use. After that, refresh token is revoke.

mod_auth_openidc version : 2.4.14.4
httpd version : 2.4.6 (Centos RHEL7)

Httpd config module :

OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer
OIDCClientID x
OIDCClientSecret 7bef4ebd-4183-4f7a-a29e-60c4b31d6326
OIDCProviderMetadataURL http://x.com/auth/realms/x/.well-known/openid-configuration
OIDCRedirectURI https://x
OIDCSessionType server-cache
OIDCRefreshAccessTokenBeforeExpiry 30
OIDCSessionInactivityTimeout 1800
OIDCCacheEncrypt On

Httpd Error Log :

[Tue Nov 28 16:23:54.682065 2023] [auth_openidc:error] [pid 12414] [client [CUT]:50543] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error_description" entry with value: ""Maximum allowed refresh token reuse exceeded"", referer: https://[CUT]
[Tue Nov 28 16:23:54.682070 2023] [auth_openidc:error] [pid 12414] [client [CUT]:50543] oidc_refresh_token_grant: access_token could not be refreshed with refresh_token: [CUT]cxOCwianRpIjoiYjVjMGU1N2MtZjAxOS00ZTA4LTg2ZmEtNWRhNjk0OTIzY2U1IiwiaXNzIjoiaHR0cDovL2ZycGFydm0zNTQwMDU1OS5jb3JwLmNhcGdlbWluaS5jb20vYXV0aC9yZWFsbXMvaW50cmFkZWYiLCJhdWQiOiJodHRwOi8vZnJwYXJ2bTM1NDAwNTU5LmNvcnAuY2FwZ2VtaW5pLmNvbS9hdXRoL3JlYWxtcy9pbnRyYWRlZiIsInN1YiI6IjY2NDEwZTNlLTMxOGYtNDE2Yy1iNGZiLWQ0YWEzMWU1YmNiYyIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJkb2Jlcm1hbi12MSIsIm5vbmNlIjoiNEdEOFh3RHI2Ujc2dlZuT2VrUkxTZ1lZbVFNWGNDT1lUS0ZocjR0MGpYayIsInNlc3Npb25fc3RhdGUiOiIzZTQ2Mzg5MC02YmU1LTQzZGMtYmQ2OS00Nzg3ZDQxYTVhNzUiLCJzY29wZSI6Im9wZW5pZCJ9.U3MM_vCdfc6QOQjp1wxW3avHm6sV0o3zFi2Xd479CM8, referer: https://[CUT]
[Tue Nov 28 16:23:54.695931 2023] [auth_openidc:error] [pid 35393] [client [CUT]:50544] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error_description" entry with value: ""Maximum allowed refresh token reuse exceeded"", referer: https://[CUT]
[Tue Nov 28 16:23:54.695938 2023] [auth_openidc:error] [pid 35393] [client [CUT]:50544] oidc_refresh_token_grant: access_token could not be refreshed with refresh_token: [CUT]cxOCwianRpIjoiYjVjMGU1N2MtZjAxOS00ZTA4LTg2ZmEtNWRhNjk0OTIzY2U1IiwiaXNzIjoiaHR0cDovL2ZycGFydm0zNTQwMDU1OS5jb3JwLmNhcGdlbWluaS5jb20vYXV0aC9yZWFsbXMvaW50cmFkZWYiLCJhdWQiOiJodHRwOi8vZnJwYXJ2bTM1NDAwNTU5LmNvcnAuY2FwZ2VtaW5pLmNvbS9hdXRoL3JlYWxtcy9pbnRyYWRlZiIsInN1YiI6IjY2NDEwZTNlLTMxOGYtNDE2Yy1iNGZiLWQ0YWEzMWU1YmNiYyIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJkb2Jlcm1hbi12MSIsIm5vbmNlIjoiNEdEOFh3RHI2Ujc2dlZuT2VrUkxTZ1lZbVFNWGNDT1lUS0ZocjR0MGpYayIsInNlc3Npb25fc3RhdGUiOiIzZTQ2Mzg5MC02YmU1LTQzZGMtYmQ2OS00Nzg3ZDQxYTVhNzUiLCJzY29wZSI6Im9wZW5pZCJ9.U3MM_vCdfc6QOQjp1wxW3avHm6sV0o3zFi2Xd479CM8, referer: https://[CUT]
[Tue Nov 28 16:23:54.717280 2023] [auth_openidc:error] [pid 33770] [client [CUT]:50545] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error_description" entry with value: ""Maximum allowed refresh token reuse exceeded"", referer: https://[CUT]
[Tue Nov 28 16:23:54.717285 2023] [auth_openidc:error] [pid 33770] [client [CUT]:50545] oidc_refresh_token_grant: access_token could not be refreshed with refresh_token: [CUT]cxOCwianRpIjoiYjVjMGU1N2MtZjAxOS00ZTA4LTg2ZmEtNWRhNjk0OTIzY2U1IiwiaXNzIjoiaHR0cDovL2ZycGFydm0zNTQwMDU1OS5jb3JwLmNhcGdlbWluaS5jb20vYXV0aC9yZWFsbXMvaW50cmFkZWYiLCJhdWQiOiJodHRwOi8vZnJwYXJ2bTM1NDAwNTU5LmNvcnAuY2FwZ2VtaW5pLmNvbS9hdXRoL3JlYWxtcy9pbnRyYWRlZiIsInN1YiI6IjY2NDEwZTNlLTMxOGYtNDE2Yy1iNGZiLWQ0YWEzMWU1YmNiYyIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJkb2Jlcm1hbi12MSIsIm5vbmNlIjoiNEdEOFh3RHI2Ujc2dlZuT2VrUkxTZ1lZbVFNWGNDT1lUS0ZocjR0MGpYayIsInNlc3Npb25fc3RhdGUiOiIzZTQ2Mzg5MC02YmU1LTQzZGMtYmQ2OS00Nzg3ZDQxYTVhNzUiLCJzY29wZSI6Im9wZW5pZCJ9.U3MM_vCdfc6QOQjp1wxW3avHm6sV0o3zFi2Xd479CM8, referer: https://[CUT]

Keycloak LOG :

16:23:54,680 WARN  [org.keycloak.events] (default task-272) type=REFRESH_TOKEN_ERROR, realmId=[CUT], clientId=[CUT], userId=66410e3e-318f-416c-b4fb-d4aa31e5bcbc, ipAddress=[CUT], error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=b5c0e57c-f019-4e08-86fa-5da694923ce5, client_auth_method=client-secret
16:23:54,694 WARN  [org.keycloak.events] (default task-272) type=REFRESH_TOKEN_ERROR, realmId=[CUT], clientId=[CUT], userId=66410e3e-318f-416c-b4fb-d4aa31e5bcbc, ipAddress=[CUT], error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=b5c0e57c-f019-4e08-86fa-5da694923ce5, client_auth_method=client-secret
16:23:54,715 WARN  [org.keycloak.events] (default task-272) type=REFRESH_TOKEN_ERROR, realmId=[CUT], clientId=[CUT], userId=66410e3e-318f-416c-b4fb-d4aa31e5bcbc, ipAddress=[CUT], error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=b5c0e57c-f019-4e08-86fa-5da694923ce5, client_auth_method=client-secret

Do you have any solution for avoid this problem?

Thank you for your answer!

[zandbelt]

you cannot reliably use parallel refreshes with a rolling refresh token by definition but I'd suggest to configure:

OIDCRefreshAccessTokenBeforeExpiry 30 authenticate_on_error

to mitigate this behavior by making the user go through an authentication roundtrip to the Provider - possibly leveraging SSO - and get a new refresh token

[zandbelt]

there's a best-effort mitigation in place in https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.15.3