[keycloak-user] Best practices for combining web and mobile usage in one realm
Iván Perdomo
ivan at akvo.org
Wed Nov 16 03:55:51 EST 2016
Hi,
I think you should look at offline tokens, introduced in Keycloak 1.6.1 [1]
[1] http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html
On 11/15/2016 06:06 PM, Aritz Maeztu wrote:
> Hi all,
>
> I'm using keycloak 2.2.1 to secure my application. The application can
> be accessed both via web and mobile (Android app). Both of them use the
> authorization code flow, which I believe it's the ideal form of
> authentication for my case.
>
> The topic I want to clarify here is token lifespans. As far as I
> understand, the SSO session idle timeout determines how long can a token
> last without being refreshed. On the other hand, SSO session max
> determines how long can a token last, even if it's being refreshed once
> and again. Well, now couple of questions:
>
> 1. Is there a way to make the web session limited to, let's say, 30
> minutes and to have a long lived refresh token for the app?
>
> 2. How to deal with the refresh token in the app? What I do right now is
> to launch a webview when application starts and store the access and
> refresh tokens in user preferences (which is secured in Android). I wrap
> each http request made from the app and add the access token, unless it
> has expired, then I request a new access token with the refresh token.
> But when should I check the validity for the refresh token itself? I
> don't want a chain of requests being interrupted because of the refresh
> token being expired!
>
> Thanks in advanced for your help!
>
>
--
Iván
More information about the keycloak-user
mailing list