Auth via Keycloak returns ERROR(access-token-expired): Session expired — only for homepage

[alerque]

I have a bit of a strange issue with a WP install that I can't figure out if I've mis configured or if there is a bug.

• I'm using latest up to date WP, this plugin, and Keycloak.

• Autologin - SSO is enabled so it's basically the only way into the site

• The site only has a couple admin users, most anonymous users can view the site just fine

• The OIDC login works great for all but one specific case. If your try to open the admin panel explicitly or any page on the site, all is fine.

• If you try to access the / root url homepage of the site as a logged in admin (or any user with an active Keycloak session really) it throws:

  ERROR (access-token-expired): Session expired. Please login again.

  The login button on that page just redirects back to that error page. Presumably I'm being sent to the iDP, but the iDP thinks I have a valid session and sends me right back.

Again even sitting at that error page, if you type in the admin dashboard URL or any other site URL you are correctly logged in as an admin, but it refuses to load the home page for any logged in admin. Admins can only reach the home page of the site by switching to a private browsing mode. Killing off the WP site cookies doesn't even do the job.

What do I even look for at this point?

I've tried disabling refresh tokens on both ends, no difference.

[timnolte]

@alerque so in general the Access Token that is provided by the IDP indicates how long a session should be active for an authenticated application. The access token is expiring the WordPress session. I have about 20 client sites where this happens and it just seems normal and doesn't seem to cause a lot of problems other then getting logged out when you might be in the middle of something. I haven't had a chance to investigate this further however I do believe the organization IT department that manages the IDP for all of those sites did indicate they had like a 1 hour session policy for their IDP setup. What may be needed in the plugin is a way to configure it such that SSO is only used for initial authentication and then no further interaction/requirement of the IDP to dictate any session expiration.

[1ubuntuuser]

@alerque any progress with this one mate?

[alerque]

No. In my case I beat my head against it for 2 days, then gave up for a day to work on other things. The next day the issue seemed to have vanished. I noticed it was just over 72 hours from when I first found the broken condition after a Keycloak update. I switched to some computers/browsers that I used to test later in the process and they were still broken. As the 72 hour mark rolled by for when I first tested each of them they started working. At this point I can't replicate this anywhere, but neither can I find where anything is set to expire in 72 hours or how it relates to this problem. I don't even know if the problem I need to hunt is in Wordpress or this plugin or Keycloak.

[1ubuntuuser]

@alerque oh that's a familiar feeling. Why are we in this line of work? So weird...

still an issue for me. I'll try update keycloak and see if the issue disappears!

[1ubuntuuser]

I should clarify, with my issue, the error comes up when the user has been away from the page for at least 5 minutes.

Perhaps it has something to do with the key refresh https://stackoverflow.com/questions/42499818/keycloak-refresh-update-token-not-working