[Hawkular-dev] Keycloak Authorization Tokens
Juraci Paixão Kröhling
jpkroehling at redhat.com
Tue Aug 18 06:00:57 EDT 2015
On 08/18/2015 11:21 AM, Artur Dryomov wrote:
> Thank you for the answers.
>
> No. Even if the refresh token is configured to not expire, it will
> expire should the user perform a logout. In other words: every
> refresh token needs an active user session, otherwise it's
> understood that it has expired.
>
>
> Is it possible to configure the session length to a longer period by
> default then? 30 minutes seems very little and, as I’ve mentioned, will
> be (very) frustrating for users.
I'm afraid it wouldn't solve the problem. Instead of 30 minutes, we
could use another "reasonable" value (60, 90 minutes), and it would be
almost equally frustrating. Increasing this value too much (8h, 1w),
however, is a security concern.
I'd suggest to watch the JIRA I mentioned before and switch the client
in the future to use those permanent tokens. Unfortunately, there's no
good short-term solution.
- Juca.
More information about the hawkular-dev
mailing list