[keycloak-dev] Offline Session Max for Offline Token

Tue Jun 19 14:54:46 EDT 2018

On 19/06/18 02:24, 乗松隆志 / NORIMATSU，TAKASHI wrote:
> Hello,
>
> I agree with you. The specification seems to be as follows.
>
> * As default, operate as current Offline Access does, namely "Offline Session Max" concept is not adopted.
> * On Admin Console, have "Offline Session Max Limited" ON/OFF switch. If ON, show "Offline Session Max" dropdown whose default value is "60 days". If Off, it disappears. Default is OFF.
> * In Model, not use something to keep "Offline Session Max Limited" ON/OFF switch setting. Only use int to keep "Offline Session Max" value whose unit is "second". -1 indicates "infinity", namely not expire by "Offline Session Max".
>
> One point I would like to discuss is how to accommodate "Offline Session Max" setting (also "Offline Session Max Limited" ON/OFF switch implicitly).
>
> My proposal is the following.
>
> * On UI(html, js) and RealmModel, use setter/getter.
> * On RealmAdapter and RealmEntity, use attributes.
> * On RealmAttributes, define its attribute key such as
>    String OFFLINE_SESSION_MAX_LIFESPAN = "offlineSessionMaxLifespan";
>
> The reason why is to avoid DB migration works.
>
> What do you think about that?
+1

Marek
>
> Best regards,
> Takashi Norimatsu
> Hitachi Ltd.,
>
> -----Original Message-----
> From: Marek Posolda <mposolda at redhat.com>
> Sent: Monday, June 18, 2018 8:29 PM
> To: 乗松隆志 / NORIMATSU，TAKASHI <takashi.norimatsu.ws at hitachi.com>; 'keycloak-dev at lists.jboss.org' <keycloak-dev at lists.jboss.org>
> Subject: [!]Re: [keycloak-dev] Offline Session Max for Offline Token
>
> Hi,
>
> it makes sense to me to have support for this. However IMO default value should be still "infinity" like it is now.
>
> I am not sure what is the best way to handle this in admin console considering usability? Considering that timeouts in admin console (Tab "Tokens" of "Realm Settings") doesn't yet support infinity. And other timeouts besides "Offline Session Max" still should be kept to not support infinity IMO.
>
> Maybe one way is to have On/Off switch like "Offline Session Max Limited" . It is off by default and when it is switched to ON, it will show another field "Offline Session Max" with the timeout? Which can be
> 60 days by default maybe? At the model level, there would be still single int value IMO (EG. When the value is -1, it means infinity, which means that "Offline Session Max Limited" switch will be OFF in admin console and "Offline Session Max" hidden. When it is positive value, the "Offline Session Max Limited" switch will be ON and the actual value of timeout "Offline Session Max" will be shown). Could this work?
>
> Marek
>
>
>
> On 14/06/18 08:36, 乗松隆志 / NORIMATSU，TAKASHI wrote:
>> Hello,
>>
>> I've found that keycloak does not support Offline Session Max related to Offline Token while supports SSO Session Max related to Refresh Token.
>>
>> For authorization of REST API services, long life(not infinite, such as 60days) refresh token is required, offline access and persistency in keycloak side are also expected.
>> Therefore, Offline Session Max is required for offline token.
>>
>> For example, consulting MS Azure, it has already supported this concept.
>> https://clicktime.symantec.com/a/1/--rcGHJujTdPJSfFwNlM2MIYGqLILoWPKdL
>> 9CWfmjNc=?d=YWVjrivvynl5nVuhig7Zwbvg38OkJyUVDhaDQ312OlDzgNM4xTTDVE89zf
>> _mLEMJrbOBesYy_-Yw2RhKJfJm5AANJ_OD6WaMyDNij1Xb4Cuf-VYC4Ch2z5y5DLJ3vdQd
>> Cr_N3VusQfJENUGg44FTkalpZ_1vwmTbXJV1hjQGmNYtp8Hp6BWFQZmIv60C2fQGJYo4R0
>> Pzdorm-4IhlIYi5LyAp_T45WsKMOn7PkZVYkBanJxHl3ESfMgcvkxElRlAfh2luIzQQkiz
>> e7gu-mj7EDmYyUiA6n4ngr8_PD0i3-0-GJbATfxQjS3Cg-MTJbjf6DdPlNhxriDK869vtT
>> 2bc6zkl0tBQxOQ5Sr6xspyxpbjN5mwFSvN4w2AmX0pfoubD3uf8mSNb5dBZjJ4xkOj9w%3
>> D%3D&u=https%3A%2F%2Fdocs.microsoft.com%2Fen-US%2Fazure%2Factive-direc
>> tory%2Fdevelop%2Factive-directory-token-and-claims%23token-revocation
>>
>> I would like to try to implement this feature.
>> Best regards,
>> Takashi Norimatsu
>> Hitachi Ltd.,
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://clicktime.symantec.com/a/1/PRLXsV_IH6jByHBptfs7DU9QRvpmlAlFI31
>> S45woinY=?d=YWVjrivvynl5nVuhig7Zwbvg38OkJyUVDhaDQ312OlDzgNM4xTTDVE89zf_mLEMJrbOBesYy_-Yw2RhKJfJm5AANJ_OD6WaMyDNij1Xb4Cuf-VYC4Ch2z5y5DLJ3vdQdCr_N3VusQfJENUGg44FTkalpZ_1vwmTbXJV1hjQGmNYtp8Hp6BWFQZmIv60C2fQGJYo4R0Pzdorm-4IhlIYi5LyAp_T45WsKMOn7PkZVYkBanJxHl3ESfMgcvkxElRlAfh2luIzQQkize7gu-mj7EDmYyUiA6n4ngr8_PD0i3-0-GJbATfxQjS3Cg-MTJbjf6DdPlNhxriDK869vtT2bc6zkl0tBQxOQ5Sr6xspyxpbjN5mwFSvN4w2AmX0pfoubD3uf8mSNb5dBZjJ4xkOj9w%3D%3D&u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev
>