[keycloak-user] Session idle timeout and KeycloakSecurityContextRequestFilter

Enguerrand Dibanda enguerrandd at gmail.com
Fri Feb 15 15:31:29 EST 2019


Hello community,

I'am using keycloak to secure an application with the
keycloak-spring-security-adapter version 4.8.3.Final. This is not a
spring-boot application.

I want to display a popup to the user says 5 minutes before the session
timeout to give him/her a chance to save his/her work. To do that I use the
refreshToken expiration date which match the "session idle timeout" config
in Keycloak to compute how long the session is still valid.

The issue I'm facing however is that all requests go through the
KeycloakSecurityContextRequestFilter which refreshes the access token when
it expires but will also get a new refresh token prolonging the session
automatically.

My workaround was to insert a filter before the
KeycloakSecurityContextRequestFilter which will put the same FILTER_APPLIED
variable in the request that the KeycloakSecurityContextRequestFilter sets
when applied to be able to skip that filter for the session check url. This
works but I'm not very happy with that solution because it is not very
elegant and rely on private data of the
KeycloakSecurityContextRequestFilter.

Is there maybe a better way to configure excludedUrls for the
KeycloakSecurityContextRequestFilter?

Shouldn't the keycloak-spring-security-adapter make that filter
automatically skip unsecured urls, i.e urls declared as
.antMatcher("/unsecured").permitAll() ?

Or maybe I'm not taking the right approach to solve this issue?

best regards,


More information about the keycloak-user mailing list