[keycloak-dev] screencasts all updated

Stian Thorgersen stian at redhat.com
Tue Sep 9 04:03:18 EDT 2014 

For now I'm changing it to update every time. At the moment we don't have cluster support and all user sessions are stored in-mem so this is not an issue.

When we add cluster support we obviously need to distribute this. I think delaying the update would be best in those cases. Basically we only distribute the last refresh if it's close to expire.

----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 9 September, 2014 8:47:17 AM
> Subject: Re: [keycloak-dev] screencasts all updated
> 
> On 8.9.2014 16:04, Stian Thorgersen wrote:
> > Think I've figured out what's going on with problem b.
> >
> > UserSession.LastSessionRefresh is only updated if the next access token
> > refresh is after the timeout. The access token is also only refreshed when
> > a request is made. With the default values being:
> >
> > * access token lifespan: 1 min
> > * sso idle timeout: 5 min
> >
> > This means that a request has to be made between 4 min and 5 min after the
> > last time LastSessionRefresh was updated. So you can basically browse
> > around all you want for 4 minutes, leave it idle for 60 seconds, then when
> > you do the next request the session will be timed out.
> >
> > The simple solution seems to be to update LastSessionRefresh everytime the
> > token is refreshed. Then post-1.0.final come up with a better scheme to
> > reduce the amount of writes to UserSession.LastSessionRefresh
> I wonder if solution could be something simple like:
> 
> long minAllowedInterval = min(5 minutes, (sso idle timeout - access
> token lifespan) / 2);
> if (System.currentTimeMillis() - lastSessionRefresh < minAllowedInterval) {
>    updateLastSessionRefresh();
> }
> 
> This will mean that if timeouts are low like:
> 
> * access token lifespan: 1 min
> * sso idle timeout: 5 min
> 
> then it will update lastSessionRefresh in every token refresh. On the
> other hand with bigger values like:
> 
> * access token lifespan: 1 min
> * sso idle timeout: 60 min
> 
> it will update lastSessionRefresh just if last refresh was older than
> around 30 minutes (exactly 30,5 minutes).
> 
> This might be good compromise between flexibility and easiness. The
> easiest approach might be to always update refresh or use some hardcoded
> minAllowedInterval (like 10 minutes). The most flexible approach might
> be to add another configuration option for configuring
> minAllowedInterval, but I am not sure if it's needed (too much
> configuration options for various timeouts might be confusing for people
> imo).
> 
> Marek
> >
> > ----- Original Message -----
> >> From: "Stian Thorgersen" <stian at redhat.com>
> >> To: "Bill Burke" <bburke at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Monday, 8 September, 2014 3:30:29 PM
> >> Subject: Re: [keycloak-dev] screencasts all updated
> >>
> >> Actually it seems we have two problems:
> >>
> >> a) idletimeout plugin - this causes the logout if you have multiple tabs
> >> open. With the SSO idle timeout feature this is not needed, so we should
> >> just remove it to fix this issue
> >>
> >> b) issue with sso idle timeout - I tried setting the SSO idle timeout to a
> >> low number (30 seconds), with access token lifespan lower (5 seconds) and
> >> was continuously browsing. After 1 min or two I was logged out, even
> >> though
> >> I was continuously doing requests (and network log shows it was doing
> >> refreshing the token)
> >>
> >> ----- Original Message -----
> >>> From: "Bill Burke" <bburke at redhat.com>
> >>> To: "Stian Thorgersen" <stian at redhat.com>
> >>> Cc: keycloak-dev at lists.jboss.org
> >>> Sent: Monday, 8 September, 2014 3:05:47 PM
> >>> Subject: Re: [keycloak-dev] screencasts all updated
> >>>
> >>>
> >>>
> >>> On 9/8/2014 8:37 AM, Stian Thorgersen wrote:
> >>>>
> >>>> ----- Original Message -----
> >>>>> From: "Bill Burke" <bburke at redhat.com>
> >>>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>>> Cc: keycloak-dev at lists.jboss.org
> >>>>> Sent: Monday, 8 September, 2014 2:29:59 PM
> >>>>> Subject: Re: [keycloak-dev] screencasts all updated
> >>>>>
> >>>>>
> >>>>>
> >>>>> On 9/8/2014 4:00 AM, Stian Thorgersen wrote:
> >>>>>>
> >>>>>> ----- Original Message -----
> >>>>>>> From: "Bill Burke" <bburke at redhat.com>
> >>>>>>> To: keycloak-dev at lists.jboss.org
> >>>>>>> Sent: Friday, 5 September, 2014 10:34:22 PM
> >>>>>>> Subject: [keycloak-dev] screencasts all updated
> >>>>>>>
> >>>>>>> man I hate doing screencasts, but they are finally updated.  It
> >>>>>>> really
> >>>>>>> needed to be done as they were not in sync with the current version
> >>>>>>> of
> >>>>>>> keycloak.  I haven't linked them yet though.  I'll do that when we
> >>>>>>> release.
> >>>>>> Nice - next time I can pitch in and do a few ;)
> >>>>>>
> >>>>>>> One thing that drove me crazy was that I kept on getting logged out
> >>>>>>> of
> >>>>>>> the admin console sporadically.  Gotta figure out what is going wrong
> >>>>>>> here.
> >>>>>> Did you have multiple tabs open? We have a timer that logs you out
> >>>>>> after
> >>>>>> 300 seconds of inactivity. Problem is that if you have two tabs open
> >>>>>> with
> >>>>>> the admin console, one you're actively using and another in the
> >>>>>> background, the background tab will end up logging you out after 300
> >>>>>> seconds.
> >>>>>>
> >>>>> That might be it.
> >>>>>
> >>>>>> We can either remove this altogether (my preferred option) and let the
> >>>>>> SSO
> >>>>>> idle timeout deal with it, or we could make sure your only logged out
> >>>>>> if
> >>>>>> there's no activity to the console (can have tabs write a timestamp to
> >>>>>> html5 storage periodically and check this before logging out).
> >>>>>>
> >>>>> Or just have the timer download the SSO idle timeout.
> >>>> Not sure I follow. Wouldn't that just change the timeout value, but
> >>>> still
> >>>> leave an inactive tab able to logout all tabs?
> >>>>
> >>> Actually, are you sure that is it?  I thought the timer was for the
> >>> timeout warning, not for anything else?  I'm not even seeing the warning.
> >>>
> >>>
> >>> --
> >>> Bill Burke
> >>> JBoss, a division of Red Hat
> >>> http://bill.burkecentral.com
> >>>
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list