I am not sure if this is the right place to ask that question, since I’m not sure if it’s a problem with SpringSecurity or with Vaadin, but I thought I’ll try it:
I set up a Vaadin Spring Boot application and configured it to use Keycloak for authentication. The Vaadin app will also call some rest-services, so I thought it’s a good idea to centralize user authentication.
Anyway, logging into the application works fine and so does logging out. I am able to refresh my access tokens and call the rest-api.
However, I noticed that Keycloak has an SSO Idle setting (default: 30 min) set. If I don’t do anything with my Vaadin app for that time, the session will become invalid. When going back to the Vaadin app and trying to do anything, I will receive two exceptions (see comments)
I think that the WebClient used to make the API-call tries to renew the access/refresh-tokens and then notices that it’s session expired.
From my understanding, the WebClient wouldn’t be able to attempt that, if the Vaadin Session was invalidated after the Keycloak Session expired.
I would expect the Vaadin frontend to show the login page to the user after the session expired. Does anyone have an idea how to handle that? I thought that maybe I would have to catch that type of Exception and then invalidate the Vaadin Session, but I’m not sure about that approach.
To be honest, I’m quiet a newbie to SpringSecurity/Keycloak, so I would be thankful for any help
org.springframework.security.oauth2.client.ClientAuthorizationException: [invalid_grant] Token is not active
at org.springframework.security.oauth2.client.RefreshTokenOAuth2AuthorizedClientProvider.getTokenResponse(RefreshTokenOAuth2AuthorizedClientProvider.java:105) ~[spring-security-oauth2-client-6.2.2.jar:6.2.2]
Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
Error has been observed at the following site(s):
*__checkpoint ⇢ Request to GET http://127.0.0.1:8085/analysis/8 [DefaultWebClient]
and also:
org.springframework.security.oauth2.client.ClientAuthorizationRequiredException: [client_authorization_required] Authorization required for Client Registration Id: keycloak
at org.springframework.security.oauth2.client.AuthorizationCodeOAuth2AuthorizedClientProvider.authorize(AuthorizationCodeOAuth2AuthorizedClientProvider.java:57) ~[spring-security-oauth2-client-6.2.2.jar:6.2.2]
Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
Error has been observed at the following site(s):
*__checkpoint ⇢ Request to GET http://127.0.0.1:8085/analysis/8 [DefaultWebClient]
Hi, Im also having this issue where my web application does not redirect to login page or prompt a warning to user to inform them a session expiry when a session is expired. If anyone knows how to solve this in it would be helpful.
