[keycloak-dev] Cookies & RememberMe clarification

Marek Posolda mposolda at redhat.com
Tue Sep 16 06:09:07 EDT 2014 

Have few questions related to cookies & rememberMe.

1) Actually the KEYCLOAK_IDENTITY cookie is generated with the -1 by 
default (so expires when browser is closed). Thing is that lifespan of 
the identityToken generated in AuthenticationManager.createIdentityToken 
is just ssoSessionIdleTimeout, which is 10 minutes by default. And 
cookie is refreshed just during cookie SSO login. So for example when I 
have scenario like:
* Login to admin console
* Do some admin work for 15 minutes
* Then click to "Manage my account" button (or to some other Keycloak 
secured application), the token in the KEYCLOAK_IDENTITY cookie is not 
valid anymore, so I am immediately logged out. Note that UserSession is 
still valid as I had couple of refreshToken requests during my 15 
minutes 'admin' work.

So my question is if we can use ssoSessionMaxLifespan for the identity 
token instead of ssoSessionIdleTimeout? Note that even in cookie 
authentication, we are also checking if UserSession is valid. So if 
UserSession is expired, the login won't be successful anyway.

2) Second thing is RememberMe feature. Actually we have 
KEYCLOAK_REMEMBER_ME cookie, which is set after successful login with 
rememberMe. But this cookie is actually not used anywhere for relogin! 
Only thing is KEYCLOAK_IDENTITY cookie set with the lifespan of 
ssoSessionIdleTimeout, so once you restart browser, KEYCLOAK_IDENTITY 
cookie will survive and you will be able to relogin.

Problem is that KEYCLOAK_IDENTITY is tight to particular UserSession. So 
for example if I have scenario like:
* Login to admin console
* Close my browser and wait 15 minutes
* Then open my browser and try to relogin --- ATM both UserSession and 
KEYCLOAK_IDENTITY cookie are not valid anymore so rememberMe doesn't 
work and Keycloak login screen is displayed to me.

Also scenario like:
* Login to admin console
* Close my browser and restart Keycloak
* Then open my browser and try to relogin --- rememberMe also won't work 
as UserSession is not valid (unless I am using 'jpa' or 'mongo' 
UserSession provider).

IMO RememberMe shouldn't be tight to particular UserSession. I would 
expect that when I start browser next day, I will be automatically 
logged in even if my UserSession from previous day is already expired.

It seems that to properly support RememberMe, we should use 
KEYCLOAK_REMEMBER_ME cookie instead of KEYCLOAK_IDENTITY . IMO value of 
KEYCLOAK_REMEMBER_ME cookie should be random token signed by realm 
privateKey and valid just for one use (Each RememberMe login will 
regenerate token and refresh value of KEYCLOAK_REMEMBER_ME cookie) . 
This would mean that we will need to persist stuff related to rememberMe 
with some additional related informations (realm, user, timestamp, 
ipAddress). So for example if admin will set Not-Before for realm, it 
will also invalidate all stored rememberMe tokens.

It seems that this will require some model changes and amount of work, 
but ATM RememberMe feature seems to be quite unusable to me.

wdyt?

Marek

More information about the keycloak-dev mailing list