Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

UserId is always null when refresh token

See original GitHub issue


I am using: Camunda Platform RUN - 7.14.0 KeyCloak Plugin 2.1.0

Our client configuration in the keycloak plugin is as follows:

  clientId: ${}
  clientSecret: ${keycloak.client.secret}
  useUsernameAsCamundaUserId: true
  useGroupPathAsCamundaGroupId: true

Login works fine, but we do see warnings ins camunda logs regulary:

2021-07-12 13:50:38.235 ERROR 11 --- [io-8080-exec-13] org.camunda.bpm.extension.keycloak       : KEYCLOAK-01012 TOKEN refresh failed: 400 Bad Request: [{"error":"invalid_grant","error_description":"Invalid refresh token"}]

In Keycloak, I can see that the userId is null.

12:24:06,767 WARN  [] (default task-366) type=REFRESH_TOKEN_ERROR, realmId=dpa, clientId=camunda-identity-service, userId=null, ipAddress=, error=invalid_token, grant_type=refresh_token, client_auth_method=client-secret

Now, according to this stackoverflow the error message from keycloak inbalid refresh token may be connected with an invalid userId.

Is it possible userId is somehow not set in KeyCloakIdentityProviderPlugin?

Thank you for any hint.


Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:9

github_iconTop GitHub Comments

VonDerBeckcommented, Jul 13, 2021


One more hint: refreshing the token does not use the userId. It uses the refresh token part from the original token together with grant type refresh_token. So it is not a mistake, that the userId within the request is null. All data required by Keycloak is then taken from the sent refresh token. The mistake is, that the refresh token is not accepted any more.

Can you attach the settings of the camunda-identity-service ?

VonDerBeckcommented, Jul 13, 2021

Hi @Noordsestern,

this looks strange. Maybe an incomplete configuration? Before anything else I would check the following things:

  1. Have you checked all the prerequesites in the Keycloak realm mentioned in the README?
  2. Under plugin.identity.keycloak: you should configure either an administratorUserId or an administratorGroupName. When using the group you should have a user assigned to this group within the realm you’re connecting to.

Ok, so far for the simple standard stuff. What else? Hmm…

Can you tell me a little bit more about your user management on the Keycloak side? Do you just setup a trial and use Keycloak internal users? Are you using the LDAP federation? Are you using any other connections? Did you do anything special within your Keycloak instance? Or did you just follow the proposed standard setup of the camunda-identity-service? What about Camunda Spring Boot? Do you aim for the complete SSO setup? Or do you keep using the Camunda Login Form?

Read more comments on GitHub >

github_iconTop Results From Across the Web

UserId is always null when refresh token · Issue #68 - GitHub
It uses the refresh token part from the original token together with grant type refresh_token. So it is not a mistake, that the...
Read more > mvc - User is always null when using AspNet.Security ...
This works just fine, I can get the access token and the users are authenticated successfully. The issue that I'm facing here is...
Read more >
Refresh token Coming null - Okta Developer Community
Hi , I am using spring with dynamic client registration with okta. When user tries to access the resources, app is redirecting to...
Read more >
User Management return null refresh token for google social ...
I'm integrating auth 0 with google social login. Since I am trying to call google classroom api, I would need a valid access...
Read more >
Retrieve an Access Token and Refresh Token
Device Token Request. To request the user's access token from Login with Amazon, make a secure HTTP POST request to ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found