[keycloak-user] Login timeout

Bill Burke bburke at redhat.com
Wed Jul 15 18:07:33 EDT 2015 


On 7/15/2015 9:37 AM, Juraci Paixão Kröhling wrote:
> All,
>
> When an user's session is timed out, the usual approach is to issue a
> logout via the JavaScript adapter, which in turn will redirect the
> browser to the login page at Keycloak.
>
> The problem we are facing is that the user might not be active at this
> time (the session has already timed out, after all), so, it might take a
> while for the user to login again. If the user takes too long to login
> again, Keycloak will display a login error, saying "Login timeout.
> Please login again".
>

Yeah, we are fixing timeouts a little.  There are 2 timeouts:  Timeout 
of a login action.  This happens if you take too long in the login 
process.  In this case the login session is still active in memory. 
What we'll do is just redirect the user to the login screen to start 
over and give them this error message.  "You took too long to login. 
Please restart login process.".

Next one is timeout of the session.  When this happens, we have no 
information on how to complete the login.  Information like the SAML 
Request or OIDC query parameters.  In this case we will be redirecting 
back to the client.  Client will choose whether to restart 
authentication over or not.




> While I understand the technical aspects behind this, I think this is
> problematic from the UXD perspective. Why should the user enter the same
> valid login/password again, if the first ones were just fine?
>

I'm not sure we can fix this.  If there is a session timeout, we have no 
information on how to complete the authentication as this information 
has been wiped out.  So the only option is to redirect back to the 
client in this situation.


> As a "temporary" solution for Hawkular, we are *not* issuing a logout
> via the JS adapter, but doing a "clearToken" and showing a modal with a
> message like "Your session has timed out, login again", forcing the user
> to click on a "Login" button, which will then redirect the user to the
> login page. This is also not optimal from the UXD perspective, but at
> least won't display an error message to the user.
>

I think what you are doing is the best solution.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-user mailing list