Failed to refresh OAuth token.
Hi,
I believe this is along the lines of the OIDC issues from the last releases.
I'm getting this issue now, but after getting the login screen and clicking to open via OIDC with a session already started with Keycloak.
What might be going wrong?
Scott
9 Replies
When I delete cookies, everything works as it should.
I've also removed the OIDC grant stuff I added due to the original 25.0 OIDC issue.
I'll report back tomorrow, when the OIDC token is invalid again.
Ok. Same thing. I log in to Keycloak from another application, so my OIDC session is valid, but when I try to log in to Coder, I get the error above. So to me, the refresh process isn't working as it should in Coder. This was all working wonderfully before 0.25.
I'll start an issue in the Coder repo.
We have currently the same problem with the token. Maybe it is connected with the issue we have with the refresh token:
The issue is that Coder seems to be improperly handling token refreshes, causing about 10-20 errors per minute in our OIDC event log. When the Coder session is active for an extended period, this results in thousands of entries, which, for now, seems to be just a cosmetic issue. However, I'm not sure if this erroneous token refresh might have any adverse effects on usage (probably not, since it seems a local session gets established), but I think this might be worth bringing up as a possible bug.
Here's what’s going wrong: When the token is refreshed, our OIDC provider issues a new refresh token and invalidates the old one. But Coder continues to use the old token which, as expected, fails. It then retries using the same old token, again failing, and this cycle continues.
We're releasing a patch to fix this. It was our bad.
dragging up issues from the past, sorry about that. It seems that we get many broken refresh token requests in our keycloak logs causing constant alerts for our keycloak team.
We are using coder oss 2.21.3, and the keycloak instance is version 24.0.2.
They see around 10,000 broken requests every 24 hours.
☝️
Was there a regression or was this never fixed for you?
We only started using coder in the last 6 months or so, however, that figure, that I just mentioned may be somewhat inflated. One of the keycloak team mentioned that figure was he last 24hours, but is not every 24 hours.
Last 30 days was 10161
We deployed 2.21.3 yesterday
They have seen recurring issues, with refresh tokens behaving strangely, but I also don't know what the expected behaviour should be.
We also removed the offline access scope as our keycloak team suggested that this may be the cause of the issues.
How many users are using Coder?
We have around 200 total, 160 of which are dormant pre-created via terraform for future onboarding
All are oidc via keycloak, and we have signups and password auth disabled
Here is what every log line looks like,
userID is always null, error is always invalid_token