Re: [keycloak-dev] Offline Session Max for Offline Token
by 乗松隆志 / NORIMATSU,TAKASHI
Hello,
I agree with you. The specification seems to be as follows.
* As default, operate as current Offline Access does, namely "Offline Session Max" concept is not adopted.
* On Admin Console, have "Offline Session Max Limited" ON/OFF switch. If ON, show "Offline Session Max" dropdown whose default value is "60 days". If Off, it disappears. Default is OFF.
* In Model, not use something to keep "Offline Session Max Limited" ON/OFF switch setting. Only use int to keep "Offline Session Max" value whose unit is "second". -1 indicates "infinity", namely not expire by "Offline Session Max".
One point I would like to discuss is how to accommodate "Offline Session Max" setting (also "Offline Session Max Limited" ON/OFF switch implicitly).
My proposal is the following.
* On UI(html, js) and RealmModel, use setter/getter.
* On RealmAdapter and RealmEntity, use attributes.
* On RealmAttributes, define its attribute key such as
String OFFLINE_SESSION_MAX_LIFESPAN = "offlineSessionMaxLifespan";
The reason why is to avoid DB migration works.
What do you think about that?
Best regards,
Takashi Norimatsu
Hitachi Ltd.,
-----Original Message-----
From: Marek Posolda <mposolda(a)redhat.com>
Sent: Monday, June 18, 2018 8:29 PM
To: 乗松隆志 / NORIMATSU,TAKASHI <takashi.norimatsu.ws(a)hitachi.com>; 'keycloak-dev(a)lists.jboss.org' <keycloak-dev(a)lists.jboss.org>
Subject: [!]Re: [keycloak-dev] Offline Session Max for Offline Token
Hi,
it makes sense to me to have support for this. However IMO default value should be still "infinity" like it is now.
I am not sure what is the best way to handle this in admin console considering usability? Considering that timeouts in admin console (Tab "Tokens" of "Realm Settings") doesn't yet support infinity. And other timeouts besides "Offline Session Max" still should be kept to not support infinity IMO.
Maybe one way is to have On/Off switch like "Offline Session Max Limited" . It is off by default and when it is switched to ON, it will show another field "Offline Session Max" with the timeout? Which can be
60 days by default maybe? At the model level, there would be still single int value IMO (EG. When the value is -1, it means infinity, which means that "Offline Session Max Limited" switch will be OFF in admin console and "Offline Session Max" hidden. When it is positive value, the "Offline Session Max Limited" switch will be ON and the actual value of timeout "Offline Session Max" will be shown). Could this work?
Marek
On 14/06/18 08:36, 乗松隆志 / NORIMATSU,TAKASHI wrote:
> Hello,
>
> I've found that keycloak does not support Offline Session Max related to Offline Token while supports SSO Session Max related to Refresh Token.
>
> For authorization of REST API services, long life(not infinite, such as 60days) refresh token is required, offline access and persistency in keycloak side are also expected.
> Therefore, Offline Session Max is required for offline token.
>
> For example, consulting MS Azure, it has already supported this concept.
> https://clicktime.symantec.com/a/1/--rcGHJujTdPJSfFwNlM2MIYGqLILoWPKdL
> 9CWfmjNc=?d=YWVjrivvynl5nVuhig7Zwbvg38OkJyUVDhaDQ312OlDzgNM4xTTDVE89zf
> _mLEMJrbOBesYy_-Yw2RhKJfJm5AANJ_OD6WaMyDNij1Xb4Cuf-VYC4Ch2z5y5DLJ3vdQd
> Cr_N3VusQfJENUGg44FTkalpZ_1vwmTbXJV1hjQGmNYtp8Hp6BWFQZmIv60C2fQGJYo4R0
> Pzdorm-4IhlIYi5LyAp_T45WsKMOn7PkZVYkBanJxHl3ESfMgcvkxElRlAfh2luIzQQkiz
> e7gu-mj7EDmYyUiA6n4ngr8_PD0i3-0-GJbATfxQjS3Cg-MTJbjf6DdPlNhxriDK869vtT
> 2bc6zkl0tBQxOQ5Sr6xspyxpbjN5mwFSvN4w2AmX0pfoubD3uf8mSNb5dBZjJ4xkOj9w%3
> D%3D&u=https%3A%2F%2Fdocs.microsoft.com%2Fen-US%2Fazure%2Factive-direc
> tory%2Fdevelop%2Factive-directory-token-and-claims%23token-revocation
>
> I would like to try to implement this feature.
> Best regards,
> Takashi Norimatsu
> Hitachi Ltd.,
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://clicktime.symantec.com/a/1/PRLXsV_IH6jByHBptfs7DU9QRvpmlAlFI31
> S45woinY=?d=YWVjrivvynl5nVuhig7Zwbvg38OkJyUVDhaDQ312OlDzgNM4xTTDVE89zf_mLEMJrbOBesYy_-Yw2RhKJfJm5AANJ_OD6WaMyDNij1Xb4Cuf-VYC4Ch2z5y5DLJ3vdQdCr_N3VusQfJENUGg44FTkalpZ_1vwmTbXJV1hjQGmNYtp8Hp6BWFQZmIv60C2fQGJYo4R0Pzdorm-4IhlIYi5LyAp_T45WsKMOn7PkZVYkBanJxHl3ESfMgcvkxElRlAfh2luIzQQkize7gu-mj7EDmYyUiA6n4ngr8_PD0i3-0-GJbATfxQjS3Cg-MTJbjf6DdPlNhxriDK869vtT2bc6zkl0tBQxOQ5Sr6xspyxpbjN5mwFSvN4w2AmX0pfoubD3uf8mSNb5dBZjJ4xkOj9w%3D%3D&u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev