Re: [keycloak-dev] Session duration for clients

Client session max and idle would not affect how sessions are removed from memory. The session in the memory is the SSO session, not the session for individual clients. Client session max and idle in regards to OIDC only control the expiration time of the tokens. Refresh tokens and access tokens are only valid up to client session idle. Further, the refresh token can only be refreshed up to client session max. The latter just means we'd need to add an additional claim to the refresh tokens (which should be opaque to tokens anyways). Once the refresh token is expired the client would have to obtain new tokens, which as long as the SSO session is still valid it can do without user having to enter credentials. For SAML there is no refresh token as such the Client Session Idle would not be applicable. Instead the SAML assertion would be valid for Client Session Max, and the SAML client would fetch a new assertion which again it could do without user entering credentials as long as the SSO session is still valid. On Fri, 15 Nov 2019 at 15:43, Ricardo Martin Camarero <rmartinc(a)redhat.com&gt; wrote: > Hi, > > Stian, note that changing the SSO max time and SSO idle time also > affects in how the sessions are removed from memory. If the max and/or > idle is changed per client, the current removeSessions [1] should be > modified to consider the timeouts per client (now only realm is taken > into account). Those timeouts do not only affect token generation. > > Regards! > > > [1] > > https://github.com/keycloak/keycloak/blob/master/model/infinispan/src/mai... > > > On 11/12/19 4:24 AM, 田畑義之 / TABATA，YOSHIYUKI wrote: > > Hi, > > > > I agree with this idea. > > This idea will achieve our use case described in the thread [1]. > > Do you have any plans to implement this? > > > > [1] > https://lists.jboss.org/pipermail/keycloak-dev/2019-September/012530.html > > > > Regards, > > Yoshiyuki Tabata > > Hitachi, Ltd. > > > > -----Original Message----- > > From: keycloak-dev-bounces(a)lists.jboss.org < > keycloak-dev-bounces(a)lists.jboss.org&gt; On Behalf Of Stian Thorgersen > > Sent: Friday, November 08, 2019 6:09 PM > > To: keycloak-dev <keycloak-dev(a)lists.jboss.org&gt; > > Subject: [!][keycloak-dev] Session duration for clients > > > > Today we have SSO session max and idle, but there is no way to control > > duration for individual clients. > > > > One side-effect of this is that if the SSO session max is very large all > > refresh tokens will have a long expiration time. > > > > It is also related to max_age parameter. As tokens have a long > expiration > > the only way to control it is the client has to manually check > auth_time in > > the tokens. > > > > One idea is that we could introduce a Client Session Max and Idle. The > > realm would allow setting a default value, but it would also be > possible to > > override on a per-client basis. If not set for realm or client it would > > fallback to SSO Session Max/Idle > > > > For Client Session Max implementation should be pretty straight forward. > > When issuing tokens we make sure the expiration is set according to the > > Clients Session Max. > > > > For Client Session Idle implementation should also be pretty straight > > forward. Tokens would only be valid if within Client Session Idle. As > long > > as clients refresh tokens they will get newly issued tokens that would > be > > within the Client Session Idle, up until they reach Client Session Max > when > > the refresh token would no longer be valid and the client would need to > do > > a new authentication request to obtain new tokens. > > > > We should also add default_max_age to clients, which would make it > possible > > to easily configure re-authentication for specific clients. > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev(a)lists.jboss.org > > > https://clicktime.symantec.com/35pw2iShL84hrZog1HQKXcD7Vc?u=https%3A%2F%2... > > > > _______________________________________________ > > keycloak-dev mailing list > > keycloak-dev(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-dev > > > -- > > Ricardo Martín Camarero > > Software Engineer > > Red Hat <https://www.redhat.com> > > <https://www.redhat.com> > >