Hi,
We have setup a Shiny Proxy instance with Keycloak authentication and all works fine (i.e. user authentication works, groups are applied, etc.).
However, Shiny Proxy logs are cluttered with the following error, every 5 seconds or so:
ERROR 1 --- [ Timer-1] o.k.a.RefreshableKeycloakSecurityContext : Refresh token failure status: 400 {"error":"invalid_grant","error_description":"Token is not active"}
We see the following in Keycloak logs:
WARN [org.keycloak.events] (default task-1260) type=REFRESH_TOKEN_ERROR, realmId=myrealm, clientId=shinyproxy, userId=null, ipAddress=(removed), error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret
Note that this has no visible impact on the user’s activity and all seems to work fine, nevertheless, it generates a lot of noisy logs and I would like to get to the bottom of this. From the logs it looks like Shiny Proxy is trying to renew the user access token (every 5 seconds!?) but the refresh token has expired. Any help in troubleshooting this would be welcomed!
Additional info that might be helpful
shiny proxy version: ShinyProxy 2.6.0 (ContainerProxy 0.8.10) - running in a Docker container
keycloak version: Keycloak 12.0.1 (WildFly Core 13.0.3.Final)
Shiny Proxy authentication configuration (sensitive parts have been sanitized):
authentication: keycloak
keycloak:
realm: myrealm
auth-server-url: https://account.domain.com/auth
resource: shinyproxy
credentials-secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
use-resource-role-mappings: true
name-attribute: preferred_username
I have used Insomnia to perform an OpenID Connect login flow and look at the tokens, and I can see that:
- the access token expires after 5 minutes
- the refresh token expires after 30 minutes
I think Keycloak works by providing a new access token & refresh token when performing a refresh, could it be that Shiny Proxy keeps the first refresh token in memory?
Thanks for any help,
Alexis