Think I've figured out what's going on with problem b.
UserSession.LastSessionRefresh is only updated if the next access token refresh is after
the timeout. The access token is also only refreshed when a request is made. With the
default values being:
* access token lifespan: 1 min
* sso idle timeout: 5 min
This means that a request has to be made between 4 min and 5 min after the last time
LastSessionRefresh was updated. So you can basically browse around all you want for 4
minutes, leave it idle for 60 seconds, then when you do the next request the session will
be timed out.
The simple solution seems to be to update LastSessionRefresh everytime the token is
refreshed. Then post-1.0.final come up with a better scheme to reduce the amount of writes
to UserSession.LastSessionRefresh
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Monday, 8 September, 2014 3:30:29 PM
Subject: Re: [keycloak-dev] screencasts all updated
Actually it seems we have two problems:
a) idletimeout plugin - this causes the logout if you have multiple tabs
open. With the SSO idle timeout feature this is not needed, so we should
just remove it to fix this issue
b) issue with sso idle timeout - I tried setting the SSO idle timeout to a
low number (30 seconds), with access token lifespan lower (5 seconds) and
was continuously browsing. After 1 min or two I was logged out, even though
I was continuously doing requests (and network log shows it was doing
refreshing the token)
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Monday, 8 September, 2014 3:05:47 PM
> Subject: Re: [keycloak-dev] screencasts all updated
>
>
>
> On 9/8/2014 8:37 AM, Stian Thorgersen wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke(a)redhat.com>
> >> To: "Stian Thorgersen" <stian(a)redhat.com>
> >> Cc: keycloak-dev(a)lists.jboss.org
> >> Sent: Monday, 8 September, 2014 2:29:59 PM
> >> Subject: Re: [keycloak-dev] screencasts all updated
> >>
> >>
> >>
> >> On 9/8/2014 4:00 AM, Stian Thorgersen wrote:
> >>>
> >>>
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke(a)redhat.com>
> >>>> To: keycloak-dev(a)lists.jboss.org
> >>>> Sent: Friday, 5 September, 2014 10:34:22 PM
> >>>> Subject: [keycloak-dev] screencasts all updated
> >>>>
> >>>> man I hate doing screencasts, but they are finally updated. It
really
> >>>> needed to be done as they were not in sync with the current version
of
> >>>> keycloak. I haven't linked them yet though. I'll do that
when we
> >>>> release.
> >>>
> >>> Nice - next time I can pitch in and do a few ;)
> >>>
> >>>>
> >>>> One thing that drove me crazy was that I kept on getting logged out
of
> >>>> the admin console sporadically. Gotta figure out what is going
wrong
> >>>> here.
> >>>
> >>> Did you have multiple tabs open? We have a timer that logs you out
> >>> after
> >>> 300 seconds of inactivity. Problem is that if you have two tabs open
> >>> with
> >>> the admin console, one you're actively using and another in the
> >>> background, the background tab will end up logging you out after 300
> >>> seconds.
> >>>
> >>
> >> That might be it.
> >>
> >>> We can either remove this altogether (my preferred option) and let the
> >>> SSO
> >>> idle timeout deal with it, or we could make sure your only logged out
> >>> if
> >>> there's no activity to the console (can have tabs write a timestamp
to
> >>> html5 storage periodically and check this before logging out).
> >>>
> >>
> >> Or just have the timer download the SSO idle timeout.
> >
> > Not sure I follow. Wouldn't that just change the timeout value, but still
> > leave an inactive tab able to logout all tabs?
> >
>
> Actually, are you sure that is it? I thought the timer was for the
> timeout warning, not for anything else? I'm not even seeing the warning.
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
>
http://bill.burkecentral.com
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev