+
Skip to content

UserInfo request fails by using an access token obtained in Hybrid flow with offline_access scope #39037

New issue
New issue
Closed
#39183
Closed
UserInfo request fails by using an access token obtained in Hybrid flow with offline_access scope#39037
#39183
Assignees
mposolda
Labels
area/oidcIndicates an issue on OIDC areakind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.2.3release/26.3.0team/core-clients
@tnorimat

Description

@tnorimat
tnorimat
opened on Apr 17, 2025

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

In hybrid flow with offline_access scope (response_type = code token OR code token id_token, scope = openid offline_access), UserInfo request with an access token obtained from an autorization response fails as 401 Unauthorized (error = "invalid_token", error_description="user_session_not_found").

In the earlier version of 26.2.0, it does not happen.

Due to this issue, Keycloak 26.2.0 cannot pass OpenID Foundation's OIDC conformance tests while all the earlier version of Keycload could pass.

Version

26.2.0

Regression

  • The issue is a regression

Expected behavior

We can get an appropriate UserInfo response as 200 OK.

Actual behavior

We get an error UserInfo response as 401 Unauthorized (error = "invalid_token", error_description="user_session_not_found").

How to Reproduce?

  1. Send an authorization request with response_type = code token OR code token id_token, which means doing OIDC hybrid flow and scope = openid offline_access .
  2. On the login screen, a user input their username and password, which lead to successful login.
  3. On the consent screen, the user input their cosent.
  4. Receive an authorization response with an access token.
  5. Send a UserInfo request with the access token.
  6. Receive an error UserInfo response.

Example:
[1] an authorization request
{
"client_id": "0908b642-8d6c-4075-80e2-d2d7628c9bb1",
"redirect_uri": "https://conformance-suite.keycloak-fapi.org/test/a/keycloak/callback",
"scope": "openid offline_access",
"state": "YQhigLVlWq",
"nonce": "Baki3USTOx",
"response_type": "code token",
"prompt": "consent"
}
->
https://as.keycloak-fapi.org/auth/realms/test/protocol/openid-connect/auth?client_id=0908b642-8d6c-4075-80e2-d2d7628c9bb1&redirect_uri=https://conformance-suite.keycloak-fapi.org/test/a/keycloak/callback&scope=openid%20offline_access&state=YQhigLVlWq&nonce=Baki3USTOx&response_type=code%20token&prompt=consent

[4] an authorization response
https://conformance-suite.keycloak-fapi.org/test/a/keycloak/callback#state=YQhigLVlWq&session_state=8d1f2e10-0df9-403f-a6f0-23e32e1d02d9&iss=https%3A%2F%2Fas.keycloak-fapi.org%2Fauth%2Frealms%2Ftest&code=acdefaa9-1718-4376-b8bc-111054e2bfb0.8d1f2e10-0df9-403f-a6f0-23e32e1d02d9.0908b642-8d6c-4075-80e2-d2d7628c9bb1&access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxT0xKY2JnOFZ1eDhXWVJ3VWxjV3FaZmlTLTJGYXVpY05VVFh4bEoxUjY0In0.eyJleHAiOjE3NDQ4NDg1MjEsImlhdCI6MTc0NDg0ODIyMSwianRpIjoib2ZydG5hOmFiOTg0ZDFkLWIwNmQtNGMzMi04OWIzLWRmOGFiYmJjMzMyOSIsImlzcyI6Imh0dHBzOi8vYXMua2V5Y2xvYWstZmFwaS5vcmcvYXV0aC9yZWFsbXMvdGVzdCIsInR5cCI6IkJlYXJlciIsImF6cCI6IjA5MDhiNjQyLThkNmMtNDA3NS04MGUyLWQyZDc2MjhjOWJiMSIsInNpZCI6IjhkMWYyZTEwLTBkZjktNDAzZi1hNmYwLTIzZTMyZTFkMDJkOSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwczovL2NvbmZvcm1hbmNlLXN1aXRlLmtleWNsb2FrLWZhcGkub3JnIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyJdfSwic2NvcGUiOiJvcGVuaWQgbmFtZV9jbGFpbXMgb2ZmbGluZV9hY2Nlc3MifQ.i1UKWec7MtZTJVs8Feu6iK6yzsTeL12D7ak2rNStmZ9VyiBCb39Mq1Bcc5nlStdbdq335Mu-rvnV6c7aKegDakvWAPG4OHP8aikZAHAI0NLeZSbEflOmoIfEuBvXbcR0E3nbHvO9IvI0Oyh-Ehbg9HOJihNdl_0jrsK6yjF3bT2ilEtk__Zsr24jxuP6lQmb8E9MipMExh8xzkWCvIbjL4tP0gTuE24lIy1aP_UYmvwnnT4Pujx2zf_RhHPzwaUSa5IvcJrOyid1zmmEZn6ms7YCMQAgbFgCMe8j_xeCZKEIkFbeJxRsi4q62SrT9i0e6Tv3X_aD_JXQibr07gbMyg&token_type=Bearer&expires_in=300

[6] an error UserInfo response
401 Unauthorized
Header:
"www-authenticate": "Bearer realm="test", error="invalid_token", error_description="user_session_not_found"",

Anything else?

I found the issue when I ran the OpenID Foundation's OIDC conformance test against Keycloak 26.2.0.

(1) The authorization request's scope includes "offline_access", which may contribute to this issue.
(2) When receiving the UserInfo request, Keycloak outputs the following logs bout AccessTokenContext

 accessTokenContext.getSessionType() = OFFLINE
 accessTokenContext.getGrantType() = na
 accessTokenContext.getRawTokenId() = d5daa054-015a-4869-9dc1-cccc6b04671b
 accessTokenContext.getTokenType() = REGULAR
2025-04-17 00:03:45,662 WARN [org.keycloak.events] (executor-thread-5) type="USER_INFO_REQUEST_ERROR", realmId="5b9ce58b-4b1d-42bd-a714-eca698e2157f", realmName="test", clientId="b967393f-a745-4efd-9cb9-91d733f41a58", userId="null", sessionId="59e8808b-bb1e-4171-9c57-ccae9cd6bc2a", ipAddress="172.18.0.13", error="user_session_not_found", auth_method="validate_access_token"

(3) Due to this issue, Keycloak 26.2.0 cannot pass OpenID Foundation's OIDC conformance tests while all the earlier version of Keycload could pass.

Metadata

Metadata

Assignees

Labels

area/oidcIndicates an issue on OIDC areakind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.2.3release/26.3.0team/core-clients

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载