Re: [Hawkular-dev] Keycloak Authorization Tokens
On 08/18/2015 11:21 AM, Artur Dryomov wrote:
Thank you for the answers.
No. Even if the refresh token is configured to not expire, it will
expire should the user perform a logout. In other words: every
refresh token needs an active user session, otherwise it's
understood that it has expired.
Is it possible to configure the session length to a longer period by
default then? 30 minutes seems very little and, as I’ve mentioned, will
be (very) frustrating for users.
I'm afraid it wouldn't solve the problem. Instead of 30 minutes, we
could use another "reasonable" value (60, 90 minutes), and it would be
almost equally frustrating. Increasing this value too much (8h, 1w),
however, is a security concern.
I'd suggest to watch the JIRA I mentioned before and switch the client
in the future to use those permanent tokens. Unfortunately, there's no
good short-term solution.
- Juca.