Silent Refresh with multiple tabs

[claria]

Hi,

• we use Keycloak (21.0.3) as Identity Provider (which again has an Azure B2C identiy provider configured).
• we use sessionstorage as user store.

When a user has a single browser tab with the application open, all works fine. Silent Refresh works etc.

The problems begin the user opens a second tab:

2. User opens Tab 1
   • Receives an id token with {"auth_time": 1681480908, "session_state": "1ca6594a-677b-4d10-a30f-ab6941abee88"}
3. User opens Tab 2
   • Receives an id token with { "auth_time": 1681480982, "session_state": "1ca6594a-677b-4d10-a30f-ab6941abee88"}
4. SilentRefresh is triggered on Tab 1
   • SilentRefresh fails and returns id token with {"auth_time": 1681480982,"session_state": "1ca6594a-677b-4d10-a30f-ab6941abee88"}
   • silentRefresh fails with error: auth_time in id_token does not match original auth_time
5. SilentRefresh is triggered on Tab 2
   • silentRefresh works and returns id token with {"auth_time": 1681480982,"session_state": "1ca6594a-677b-4d10-a30f-ab6941abee88"

As you can see, the silentrefresh from tab 1 yields an id token with the auth_time from tab 2 and thus fails. What are we doing wrong?
I think, this is a basic configuration issue on our side and not a bug.

Thanks for your help! (And this awesome library)

[Badisi]

If you are using Refresh Token rotation then I'm afraid this is a known issue with Keycloak:
keycloak/keycloak#14122

(more details here: keycloak/keycloak#16081 for why this is happening)

Actual fix is to disable the refresh token rotation in KC.. but then you get exposed to other security risks.

[claria]

Are you referring to this option (in the realm settings)?

"Revoke Refresh Token" has always been disabled in my configuration.

[claria]

@Badisi I think this must be a different problem since i send the refresh token and get back a new set of valid tokens.

However, the auth_time of the tokens i receive does not match the original auth_time anymore, which leads to above error raised within oidc-client-ts

[pamapa]

This is a known issue, see #430, i will close this issue as its a duplicate.

There is a pending merge request (#434), which stalled, maybe someone has time to implement the defined solution (see comments in merge request)...

[Badisi]

@claria, the issue mentioned by @pamapa is also about refresh token rotation.
If you are not using it (which seems the case based on your screenshot) then multi-tabs shouldn't be an issue.

---

I've made it successfully working, using this demo app.
(at least with a local KC legacy, don't know about the latest..)

1. open it in 2 different tabs
2. create a new settings on each tab to point to your KC
3. trigger a silent renew manually on both app
4. everything should work fine

[claria]

@Badisi

Thanks for your support. I set Keycloak up in your demo app.

1. logged in in tab 1 --> works
2. logged in in tab 2 --> works
3. clicked Silent Renew in tab 1 --> fails
4. clicked silent renew in tab 2 -- works

[claria]

@Badisi

Just to be sure i tried it as well with the "Revoke Refresh Token" setting enabled.

1. logged in in tab 1 --> works
2. logged in in tab 2 --> works
3. clicked silentrenew in tab 1 --> fails (with same error as above, auth_time does not match)
4. clicked silentrenew in tab 2 --> fails (with error: Stale token)

[claria]

Hi,

As i mentioned in my inital post, we have Azure B2C as Identity Provider in Keycloak.

When i do NOT use Azure B2C as Identity provider but a local user login, everything works.

As soon as a login to keycloak via the azure b2c, the silent login does not work anymore.

[claria]

Arghh.

The issue was a simple configuration error.
When the identity provider Azure B2C was setup the scopes did not include the "offline_access". When i added the scope to the idp configuration, everything works perfectly.

Maybe this helps somebody sometimes.

Thank you very much for your help and time!!!