Refresh Token Failure on Keycloak


We have setup a Shiny Proxy instance with Keycloak authentication and all works fine (i.e. user authentication works, groups are applied, etc.).

However, Shiny Proxy logs are cluttered with the following error, every 5 seconds or so:

ERROR 1 --- [        Timer-1] o.k.a.RefreshableKeycloakSecurityContext : Refresh token failure status: 400 {"error":"invalid_grant","error_description":"Token is not active"}

We see the following in Keycloak logs:

WARN  [] (default task-1260) type=REFRESH_TOKEN_ERROR, realmId=myrealm, clientId=shinyproxy, userId=null, ipAddress=(removed), error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret

Note that this has no visible impact on the user’s activity and all seems to work fine, nevertheless, it generates a lot of noisy logs and I would like to get to the bottom of this. From the logs it looks like Shiny Proxy is trying to renew the user access token (every 5 seconds!?) but the refresh token has expired. Any help in troubleshooting this would be welcomed!

Additional info that might be helpful

shiny proxy version: ShinyProxy 2.6.0 (ContainerProxy 0.8.10) - running in a Docker container
keycloak version: Keycloak 12.0.1 (WildFly Core 13.0.3.Final)

Shiny Proxy authentication configuration (sensitive parts have been sanitized):

  authentication: keycloak
    realm: myrealm
    resource: shinyproxy
    credentials-secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
    use-resource-role-mappings: true
    name-attribute: preferred_username

I have used Insomnia to perform an OpenID Connect login flow and look at the tokens, and I can see that:

  • the access token expires after 5 minutes
  • the refresh token expires after 30 minutes

I think Keycloak works by providing a new access token & refresh token when performing a refresh, could it be that Shiny Proxy keeps the first refresh token in memory?

Thanks for any help,