Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

core

Describe the bug

Hi everyone, I'm reaching out seeking help to solve a weird behavior that we are observing with our Keycloak instances.

On Keycloak 26.2.5 or 26.3.1, every time we deploy a new version of our Keycloak with custom providers, some user sessions are losing their client sessions, even if they are not expired yet. See the following screenshot before a deployment:

Then, after the Keycloak pods were restarted, one session lost its client:

This is in one of our lower environments, the problem is a lot worse in production, where there are many sessions active.
Then, we start to see a lot of REFRESH_TOKEN_ERROR in our logs:

type="REFRESH_TOKEN_ERROR", realmId="1234", realmName="redacted", clientId="redacted", userId="null", sessionId="4321", ipAddress="redacted", error="invalid_token", reason="Session doesn't have required client", grant_type="refresh_token", refresh_token_type="Refresh",

This is our session lifetime configs:

We currently have two Keycloak pods running on Kubernetes

Version

26.3.1

Regression

• The issue is a regression

Expected behavior

The user sessions should not lose their clients after each Keycloak restart, or if this is expected, a clear documentation on why it's needed and how to tweak it.

Actual behavior

Refresh of access tokens fails because user sessions are losing their client sessions during Keycloak restart. This started to happen after we upgraded from Keycloak 26.1.4 to 26.2.5.

How to Reproduce?

Unfortunately, I couldn't find a reliable way to reproduce this other than creating the OIDC sessions and restarting the application manually.

Anything else?

We also observe some logs from ClientSessionPersistentChangelogBasedTransaction, like:

client-session not imported from persister for sessionId=null, offline=false, removing from persister.

Enabled features: