<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/04/16 10:50, Stian Thorgersen
wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAcBOCJjvFp_XkvUsrA5uFgz2yQwVOAZuGnS1KS1Q_gOSg@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 4 April 2016 at 10:44, Stian
Thorgersen <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:sthorger@redhat.com" target="_blank">sthorger@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra"><br>
<div class="gmail_quote"><span class="">On 4 April
2016 at 09:31, Marek Posolda <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Seems there are 2 things here:<br>
<br>
1) Username "hint" provided by
KEYCLOAK_REMEMBERME cookie. IMO this cookie
should be deleted only when:<br>
- User explicitly clicked on logout and
maually logout himself<br>
- User click on "Login" button on login
screen without the rememberme checkbox
checked<br>
<br>
IMO it shouldn't be deleted when SSO cookie
is expired, which is current behaviour and
should be changed IMO. In other words, I
expect the scenario working like:<br>
- User logged with "rememberMe" checkbox on<br>
- User closed the browser<br>
- After a month, user returned back to the
application. His SSO session is expired, but
KEYCLOAK_REMEMBERME cookie won't be deleted,
so on login screen he will see the prefilled
username and rememberMe checkbox switched to
"on"<br>
</div>
</div>
</blockquote>
<div><br>
</div>
</span>
<div>Create a JIRA to request remember me cookie to
not be removed. However, we need some way of
configuring expiration of the cookie. This would
be for 2.x.</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
Ok, Thanks. Created <a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/KEYCLOAK-2741">https://issues.jboss.org/browse/KEYCLOAK-2741</a><br>
<blockquote
cite="mid:CAJgngAcBOCJjvFp_XkvUsrA5uFgz2yQwVOAZuGnS1KS1Q_gOSg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><span class="">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> <br>
<br>
2) Persistent KEYCLOAK_IDENTITY cookie when
rememberMe is switched to on. I can't see
how it can work when session is expired as
it relies on session in the cookie value. On
the other hand, rememberMe shouldn't rely on
"SSO Session idle timeout" IMO. SSO IDle
timeout is only 30 minutes by default. So
current behaviour is, that when user closes
his browser, he needs to open in again and
being re-authenticated only when he do
within 30 minutes, which is bit of pointless
IMO. <br>
<br>
I would suggest to change the behaviour like
this:<br>
- When userSession is marked as rememberMe,
then cleaner thread will take into account
just "SSO Max Lifespan" timeout, but not SSO
Idle timeout<br>
- During verification of SSO cookie
re-authentication and when session is
rememberMe, we will take into account just
SSO Max Lifespan of session, but not SSO
Idle timeout<br>
Refreshing of tokens will still take SSO
Idle timeout just like now.<br>
<br>
If we not change the behaviour like this, we
should at least update "RememberMe" docs and
tooltip to make it more clear what the
behaviour would be in various cases.<br>
WDYT?</div>
</div>
</blockquote>
<div><br>
</div>
</span>
<div>We've already discussed this and there's a JIRA
requesting it (<a moz-do-not-send="true"
href="https://issues.jboss.org/browse/KEYCLOAK-1267"
target="_blank">https://issues.jboss.org/browse/KEYCLOAK-1267</a>).
The default behavior should be that SSO Idle
timeout is taken into account, but there should be
an realm option to ignore it and only rely on SSO
Max lifespan. This is also for 2.x.</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>Actually, thinking about this some more IMO we should
either reject KEYCLOAK-1267 or add separate idle/max
configuration for remember me, not just ignore. Having
user sessions that doesn't take SSO Idle into account
would potentially result in a large number of unused user
sessions left in the system. Especially if SSO Max is
large. It could be users clicked it by mistake in
incognito mode, they manually cleared cookies, they
re-installed the machine, etc.</div>
</div>
</div>
</div>
</blockquote>
+1 to add separate timeouts for rememberMe. We can have those
timeouts available in UI just if realm is selected to have "Remember
me" enabled (Same like the timeout for KEYCLOAK_REMEMBERME cookie
specified in KEYCLOAK-2741 )<br>
<br>
Marek<br>
<blockquote
cite="mid:CAJgngAcBOCJjvFp_XkvUsrA5uFgz2yQwVOAZuGnS1KS1Q_gOSg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div>
<div class="h5">
<div> </div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div><span><font color="#888888"><br>
Marek</font></span>
<div>
<div><br>
<br>
On 31/03/16 16:26, Libor Krzyzanek
wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div>I read docs today <a
moz-do-not-send="true"
href="http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#d4e2630"
target="_blank"><a class="moz-txt-link-freetext" href="http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#d4e2630">http://keycloak.github.io/docs/userguide/keycloak-server/html/timeouts.html#d4e2630</a><br>
</a> and my understanding is that
user should keep logged in after
either browser restart or session
expiration.</div>
<div>My tests shows that after session
expiration (set to 1 min) I have to
log in again.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>
<div><br>
</div>
<div>
<div>
<div
style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">Libor
Krzyžanek</div>
<div
style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">Principal
Software Engineer<br>
Red Hat Developers |
Engineering</div>
</div>
<br>
<div>
<blockquote type="cite">
<div>On Mar 31, 2016, at 3:00
PM, Marek Posolda <<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>>
wrote:</div>
<br>
<div>
<div>Followup on the issue
by Libor [1] . I can
confirm to see the same <br>
behaviour in the OOTB
Keycloak, like Libor
described in the JIRA. In
<br>
other words, when you
refresh account page ( <br>
<a moz-do-not-send="true"
href="http://localhost:8080/auth/realms/myrealm/account" target="_blank">http://localhost:8080/auth/realms/myrealm/account</a>
) but the UserSession <br>
referenced from
KEYCLOAK_IDENTITY cookie
is expired, then all
cookies <br>
including
KEYCLOAK_REMEMBERME are
expired too.<br>
<br>
IMO RememberMe cookie
shouldn't be expired when
session is expired. <br>
We're using the rememberMe
cookie as hint for
username on the login <br>
page. So even if user
returns to page after a
month, I am not seeing <br>
anything bad that
rememberMe cookie is still
valid and user will see <br>
"hint" with his username
on login page and
rememberMe checkbox
checked <br>
even if session was
expired already for a long
time. IMO the only <br>
situation when we should
expire KEYCLOAK_REMEMBERME
cookie is, when user <br>
unchecks the "Remember me"
checkbox on login page.<br>
<br>
[1] <a
moz-do-not-send="true"
href="https://issues.jboss.org/browse/ORG-2956"
target="_blank"><a class="moz-txt-link-freetext" href="https://issues.jboss.org/browse/ORG-2956">https://issues.jboss.org/browse/ORG-2956</a></a><br>
<br>
Marek<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
target="_blank">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote>
</div>
</div>
</div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>