Negative expiration for token exchange using an offline session #40611
Description
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
token-exchange
Describe the bug
Token exchange can return negative expiration values (in the past) when using an offline session. The main reason is that keycloak is using a transient session, that session is not detected as offline, and therefore the timeouts are calculated using online values.
Example returned response in a demo realm:
{
"access_token":"ey..",
"expires_in":-103,
"refresh_expires_in":0,
"token_type":"Bearer",
"not-before-policy":0,
"session_state":"af927eef-cb86-4c91-8fa0-32a7f65f625a",
"scope":"profile email",
"issued_token_type":"urn:ietf:params:oauth:token-type:access_token"
}And the access token is also in the past:
{
"exp": 1750325886,
"iat": 1750325989,
"auth_time": 1750325570,
"jti": "ftrtte:bebe8121-31e9-457c-b57b-63f4dd64500e",
"iss": "http://localhost:8080/realms/test-session",
...
}Version
26.2.5
Regression
- The issue is a regression
Expected behavior
The response in token exchange should be OK and with correct expiration values.
Actual behavior
It returns expiration times in the past-
How to Reproduce?
- Modify the realm to have a short SSO Session Max (5 mins for example).
- Create an offline session using code to token.
- Wait more than the 5 mins that would have expired an online session.
- Refresh the offline token to obtain a new access token.
- With the new access token perform a token exchange request.
- The values returned are in the past (calculation is done like it was an online session which would have been expired).
Anything else?
No response