Not sure about that. IMO seconds are good to have more fine grained timeout values. For example in some deployment the "Access token timeout" value 1 minute might be too short, but 2 minutes are too long, so they prefer to use 90 seconds as compromise.

Also seconds are good for development. For example, I am sometimes using seconds for testing (IE. setting timeout to 10 seconds to quickly enforce refresh etc)

Skip seconds to address KEYCLOAK-1341 looks to me like workaround rather than real solution. The question is if we should address KEYCLOAK-1341 at all? There are probably many possibilities how can admin breaks the login to admin console itself or break the keycloak entirely. Few examples, which come to my mind (there are likely much more):
- Delete or disable security-admin-console client
- delete or disable himself
- remove roles from himself
- remove scopes from security-admin-console client
- configure authentication flow in some way that it's not possible login anymore
- Timeouts

I don't think that we should try to prevent all of these situations. I didn't see any real support questions related to this. And for example in linux if you do "rm -rf /home" the system is broken as well. Isn't this kind of similar? IMO admins should do backup of database, so they can revert if they accidentally mis-configure things.

Marek

On 21/01/16 20:45, Stian Thorgersen wrote: