Not sure about that. IMO seconds are
good to have more fine grained timeout values. For example in some
deployment the "Access token timeout" value 1 minute might be too
short, but 2 minutes are too long, so they prefer to use 90
seconds as compromise.
Also seconds are good for development. For example, I am sometimes
using seconds for testing (IE. setting timeout to 10 seconds to
quickly enforce refresh etc)
Skip seconds to address KEYCLOAK-1341 looks to me like workaround
rather than real solution. The question is if we should address
KEYCLOAK-1341 at all? There are probably many possibilities how
can admin breaks the login to admin console itself or break the
keycloak entirely. Few examples, which come to my mind (there are
likely much more):
- Delete or disable security-admin-console client
- delete or disable himself
- remove roles from himself
- remove scopes from security-admin-console client
- configure authentication flow in some way that it's not possible
login anymore
- Timeouts
I don't think that we should try to prevent all of these
situations. I didn't see any real support questions related to
this. And for example in linux if you do "rm -rf /home" the system
is broken as well. Isn't this kind of similar? IMO admins should
do backup of database, so they can revert if they accidentally
mis-configure things.
Marek
On 21/01/16 20:45, Stian Thorgersen wrote:
_______________________________________________
keycloak-dev mailing list
keycloak-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev