[keycloak-user] SSO Session Idle Timeout for Direct

Schneider, John DODGE CONSULTING SERVICES, LLC John.Schneider at carrier.utc.com
Fri Aug 22 09:52:47 EDT 2014


My application is checking the access token timeout and refreshing it if expired. The thing is, the tokens are being invalidated after the SSO session timeout.  So if I have the access token timeout set to 4 hours, and the SSO timeout set to 15 minutes, the access token and refresh tokens are both invalidated after only 15 minutes.





Date: Thu, 21 Aug 2014 17:34:16 -0400

From: Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>>

Subject: Re: [keycloak-user] SSO Session Idle Timeout for Direct

                Grants

To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>

Message-ID: <53F665D8.9000303 at redhat.com<mailto:53F665D8.9000303 at redhat.com>>

Content-Type: text/plain; charset=windows-1252; format=flowed



I don't agree...



Your application should be checking for token timeouts and performing a

refresh.  The response from direct-grant gives you a refresh token as

well as an access token as well as a timeout (which you could check from

the access token).



Since you have a refresh token, you can refresh the access token.  You

still want the same setup:  Short access token lifespan

(seconds/minutes) with a longer refresh timeout minutes/hours.  This is

for revocation checks, permission changes, etc.



I could set up a different SSO timeout/access token timeout for grant

requests if you want, but that would have to be after 1.0.final.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140822/e815d87d/attachment.html 


More information about the keycloak-user mailing list