Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
UserId is always null when refresh token
See original GitHub issueHi,
I am using: Camunda Platform RUN - 7.14.0 KeyCloak Plugin 2.1.0
Our client configuration in the keycloak plugin is as follows:
plugin.identity.keycloak:
...
clientId: ${keycloak.client.id}
clientSecret: ${keycloak.client.secret}
useUsernameAsCamundaUserId: true
useGroupPathAsCamundaGroupId: true
Login works fine, but we do see warnings ins camunda logs regulary:
2021-07-12 13:50:38.235 ERROR 11 --- [io-8080-exec-13] org.camunda.bpm.extension.keycloak : KEYCLOAK-01012 TOKEN refresh failed: 400 Bad Request: [{"error":"invalid_grant","error_description":"Invalid refresh token"}]
In Keycloak, I can see that the userId is null.
12:24:06,767 WARN [org.keycloak.events] (default task-366) type=REFRESH_TOKEN_ERROR, realmId=dpa, clientId=camunda-identity-service, userId=null, ipAddress=10.16.45.41, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret
Now, according to this stackoverflow the error message from keycloak inbalid refresh token may be connected with an invalid userId.
Is it possible userId is somehow not set in KeyCloakIdentityProviderPlugin?
Thank you for any hint.
Markus
Issue Analytics
- State:
- Created 2 years ago
- Comments:9
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@Noordsestern
One more hint: refreshing the token does not use the userId. It uses the refresh token part from the original token together with grant type refresh_token. So it is not a mistake, that the userId within the request is null. All data required by Keycloak is then taken from the sent refresh token. The mistake is, that the refresh token is not accepted any more.
Can you attach the settings of the
camunda-identity-service?Hi @Noordsestern,
this looks strange. Maybe an incomplete configuration? Before anything else I would check the following things:
plugin.identity.keycloak: you should configure either anadministratorUserIdor anadministratorGroupName. When using the group you should have a user assigned to this group within the realm you’re connecting to.Ok, so far for the simple standard stuff. What else? Hmm…
Can you tell me a little bit more about your user management on the Keycloak side? Do you just setup a trial and use Keycloak internal users? Are you using the LDAP federation? Are you using any other connections? Did you do anything special within your Keycloak instance? Or did you just follow the proposed standard setup of the
camunda-identity-service? What about Camunda Spring Boot? Do you aim for the complete SSO setup? Or do you keep using the Camunda Login Form?