Re: [keycloak-dev] Cookies & RememberMe clarification

From: "Marek Posolda" <mposolda(a)redhat.com&gt; To: keycloak-dev(a)lists.jboss.org Sent: Tuesday, 16 September, 2014 12:09:07 PM Subject: [keycloak-dev] Cookies & RememberMe clarification Have few questions related to cookies & rememberMe. 1) Actually the KEYCLOAK_IDENTITY cookie is generated with the -1 by default (so expires when browser is closed). Thing is that lifespan of the identityToken generated in AuthenticationManager.createIdentityToken is just ssoSessionIdleTimeout, which is 10 minutes by default. And cookie is refreshed just during cookie SSO login. So for example when I have scenario like: * Login to admin console * Do some admin work for 15 minutes * Then click to "Manage my account" button (or to some other Keycloak secured application), the token in the KEYCLOAK_IDENTITY cookie is not valid anymore, so I am immediately logged out. Note that UserSession is still valid as I had couple of refreshToken requests during my 15 minutes 'admin' work. So my question is if we can use ssoSessionMaxLifespan for the identity token instead of ssoSessionIdleTimeout? Note that even in cookie authentication, we are also checking if UserSession is valid. So if UserSession is expired, the login won't be successful anyway. 2) Second thing is RememberMe feature. Actually we have KEYCLOAK_REMEMBER_ME cookie, which is set after successful login with rememberMe. But this cookie is actually not used anywhere for relogin! Only thing is KEYCLOAK_IDENTITY cookie set with the lifespan of ssoSessionIdleTimeout, so once you restart browser, KEYCLOAK_IDENTITY cookie will survive and you will be able to relogin. Problem is that KEYCLOAK_IDENTITY is tight to particular UserSession. So for example if I have scenario like: * Login to admin console * Close my browser and wait 15 minutes * Then open my browser and try to relogin --- ATM both UserSession and KEYCLOAK_IDENTITY cookie are not valid anymore so rememberMe doesn't work and Keycloak login screen is displayed to me. Also scenario like: * Login to admin console * Close my browser and restart Keycloak * Then open my browser and try to relogin --- rememberMe also won't work as UserSession is not valid (unless I am using 'jpa' or 'mongo' UserSession provider). IMO RememberMe shouldn't be tight to particular UserSession. I would expect that when I start browser next day, I will be automatically logged in even if my UserSession from previous day is already expired. It seems that to properly support RememberMe, we should use KEYCLOAK_REMEMBER_ME cookie instead of KEYCLOAK_IDENTITY . IMO value of KEYCLOAK_REMEMBER_ME cookie should be random token signed by realm privateKey and valid just for one use (Each RememberMe login will regenerate token and refresh value of KEYCLOAK_REMEMBER_ME cookie) . This would mean that we will need to persist stuff related to rememberMe with some additional related informations (realm, user, timestamp, ipAddress). So for example if admin will set Not-Before for realm, it will also invalidate all stored rememberMe tokens. It seems that this will require some model changes and amount of work, but ATM RememberMe feature seems to be quite unusable to me. wdyt? Marek _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev