Keycloak and Forcing authentication on Error.

[GRRedWings]

I apologize if this is a simple question, and I'm guessing I've mis-configured something, but I've spent some time trying to read over the documentation and understand how to properly interface with Keycloak. I'm able to authenticate and work with Keycloak, but I feel that there is something wrong with my setup, I have a couple of issues I'm struggling to solve.

1. With my current setup, if I go into keycloak and logout the session, our SPA can continue to make requests and never get a 401. Is there something that I have configured wrong that isn't allowing this library to check the expiration at a minimum? I've tried to use
   "OIDCRefreshAccessTokenBeforeExpiry 15 authenticate_on_error", but it doesn't seem to have any effect, and I have never been successful at the authenticate redirect.

Here is my current configuration, maybe someone can help me understand what I'm mis-configuring or missing.

     OIDCProviderMetadataURL https://${KEYCLOAK_HOST}/realms/${KEYCLOAK_REALM}/.well-known/openid-configuration
     OIDCClientID ${KEYCLOAK_CLIENT_ID}
     OIDCScope "openid profile"
     OIDCSSLValidateServer off
     OIDCRedirectURI https://${APACHE_FQDN}/secure/redirect?info=json&access_token_refresh_interval=60
     OIDCSessionInactivityTimeout 90
     OIDCSessionMaxDuration 90000
     <Location /web>
           AuthType openid-connect
           Require valid-user
     </Location>

If I set the OIDCSessionInactivityTimeout to say 90, at 90 seconds of inactivity I get a 401 as expected.

I have also noticed similar to this article https://github.com/OpenIDC/mod_auth_openidc/issues/388 I get "oidc_cache_shm_get_key: could not construct cache key since key size is too large" error messages in the logs. Is this causing my issues? I don't have the introspect configuration like the article had, is this something I would need to add?

2. As discussed briefly above in the first issue, I am trying to use the library to redirect to the IDP login when we get a 401 error. With a SPA is there something else I need to do other than configure settings like OIDCUserInfoRefreshInterval or OIDCRefreshAccessTokenBeforeExpiry with the settings to redirect? Currently when a 401 is returned no redirect happens. I'm not sure where to look to know if this is a limitation of the library being blocked by the browser/SPA, or if I have mis-configured something.

[zandbelt]

     OIDCRedirectURI https://${APACHE_FQDN}/secure/redirect?info=json&access_token_refresh_interval=60

is overloading the point of the redirect URI... it should really be:

     OIDCRedirectURI https://${APACHE_FQDN}/secure/redirect

If Keycloak triggers OpenID Connect Logout (e.g. the Backchannel variant), it would kill the mod_auth_openidc's session. Not sure how to configure that in Keycloak.

Furthermore it is up to the SPA itself to interpret a 401 and trigger a toplevel redirect, see e.g.: https://github.com/OpenIDC/mod_auth_openidc/wiki/Sessions-and-Timeouts#single-page-applications

[GRRedWings]

Thanks for the update. I will modify our redirect to not have the extra details, and modify the SPA to refresh when we get a 401.

One more question. If I configure OIDCRefreshAccessTokenBeforeExpiry, in keycloak if I logout the session, the library will notice it and send me a 401. But our SPA doesn't do any periodic calls, so if I let the session sit too long, Keycloak seems to remove it, but inside my SPA I can continue to make calls, even if I do a reload. I can set the OIDCSessionInactivityTimeout to be less, but lets say I have a token expiration of 5 minutes, and a session inactivity of 60 minutes. Somewhere in between is where keycloak is removing the session but I continue to be able to make calls. Is there another configuration that I'm missing?

I appreciate you taking the time to help me understand this. I'm guessing most of this is some basic oauth or OpenIDC logic but it can be rather confusing.