[keycloak-user] Strange behavior upon the RP initiated logout
Known Michael
known.michael at gmail.com
Wed Feb 1 05:17:58 EST 2017
Hey,
I successfully integrated mod_auth_openidc with Keycloak:
https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/mod-auth-openidc.html
In addition to the master realm we use our own realm.
I have strange behavior upon the RP initiated logout.
I access RP logout URL it redirects to Keycloak using the logout endpoint
(https://<ip>/auth/realms/realm/protocol/openid-connect/logout) as
described here:
https://github.com/pingidentity/mod_auth_openidc/wiki/Session-Management#logout
Unfortunately, Keycloak redirect me to the “Session not active” error
string when I press on the logout after couple of minutes of work.
The logout is successfully if I press the logout button after 1 or 2
minutes after the login.
I have tried to debug Keycloak and I have found the following:
TokenManager in the function
org.keycloak.protocol.oidc.TokenManager#verifyIDToken calls to JsonWebToken
and founds that the token is expired
(org.keycloak.representations.JsonWebToken#isExpired)
It caused since the expiration of the token is very short (couple of
minutes).
Questions:
1) How to configure the token expiration?
I have increased “SSO Session Idle” to 90 minute but it does not change the
token expiration (it remains short)
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/sessions/timeouts.html
2) Why logout cannot work after couple of minutes?
More information about the keycloak-user
mailing list