Version/Environment:
Best practices apply to all Domino versions
Issue:
Some scheduled jobs and workspaces can intermittently fail.
For Domino 5.0.x, 5.1.x, 5.2.x, this error can appear even after applying the Mongo DB fix for all users in this article: After Domino 4.x to 5.x upgrade executions fail with "HTTP Error 400: Bad Request POSTing to...:
ERROR:__main__:Attempt to refresh failed due to an HTTP Error HTTP Error 400:
Bad Request POSTing to http://keycloak-http.domino-platform/auth/realms/DominoRealm/protocol/openid-connect/token
Root Cause:
Keycloak has several token and session settings that affect executions. One is the Offline Session Idle, which defines the lifespan of the refresh token. It's the maximum time the user’s session is allowed to remain idle before the offline token is revoked.
In Domino, this is the maximum time between when one execution (job, workspace, app, scheduled run) finishes and the next one starts (for the same user). Setting this value to minutes when there are scheduled hourly jobs can cause jobs to fail because by the time the next execution starts, the previous offline session will have expired and the user’s session would have already been terminated.
Resolution:
For best practices, we recommend the following default Keycloak settings under the Tokens tab:
- Revoke Refresh Token - OFF
- Offline Session Idle - 60 days or higher
- Offline Session Max Limited - OFF
- Access Token lifespan - 5 minutes
Comments
0 comments
Please sign in to leave a comment.