[keycloak-user] SSO Session Idle Timeout for Direct

Stian Thorgersen stian at redhat.com
Tue Aug 26 08:34:44 EDT 2014



----- Original Message -----
> From: "John DODGE CONSULTING SERVICES Schneider, LLC" <John.Schneider at carrier.utc.com>
> To: keycloak-user at lists.jboss.org
> Sent: Friday, 22 August, 2014 3:52:47 PM
> Subject: Re: [keycloak-user] SSO Session Idle Timeout for Direct
> 
> 
> 
> My application is checking the access token timeout and refreshing it if
> expired. The thing is, the tokens are being invalidated after the SSO
> session timeout. So if I have the access token timeout set to 4 hours, and
> the SSO timeout set to 15 minutes, the access token and refresh tokens are
> both invalidated after only 15 minutes.

It doesn't really make much sense to have idle timeout shorter than access token timeout. For example in your case above the user session is logged out after 15 min, but an application can still access services using the token for nearly another 4 hours.

> 
> 
> 
> 
> 
> Date: Thu, 21 Aug 2014 17:34:16 -0400
> 
> From: Bill Burke < bburke at redhat.com >
> 
> Subject: Re: [keycloak-user] SSO Session Idle Timeout for Direct
> 
> Grants
> 
> To: keycloak-user at lists.jboss.org
> 
> Message-ID: < 53F665D8.9000303 at redhat.com >
> 
> Content-Type: text/plain; charset=windows-1252; format=flowed
> 
> 
> 
> I don't agree...
> 
> 
> 
> Your application should be checking for token timeouts and performing a
> 
> refresh. The response from direct-grant gives you a refresh token as
> 
> well as an access token as well as a timeout (which you could check from
> 
> the access token).
> 
> 
> 
> Since you have a refresh token, you can refresh the access token. You
> 
> still want the same setup: Short access token lifespan
> 
> (seconds/minutes) with a longer refresh timeout minutes/hours. This is
> 
> for revocation checks, permission changes, etc.
> 
> 
> 
> I could set up a different SSO timeout/access token timeout for grant
> 
> requests if you want, but that would have to be after 1.0.final.
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list