3:34 p.m.
man I hate doing screencasts, but they are finally updated. It really
needed to be done as they were not in sync with the current version of
keycloak. I haven't linked them yet though. I'll do that when we release.
One thing that drove me crazy was that I kept on getting logged out of
the admin console sporadically. Gotta figure out what is going wrong here.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
3 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Friday, 5 September, 2014 10:34:22 PM
Subject: [keycloak-dev] screencasts all updated
man I hate doing screencasts, but they are finally updated. It really
needed to be done as they were not in sync with the current version of
keycloak. I haven't linked them yet though. I'll do that when we release.
Nice - next time I can pitch in and do a few ;)
One thing that drove me crazy was that I kept on getting logged out of
the admin console sporadically. Gotta figure out what is going wrong here.
Did you have multiple tabs open? We have a timer that logs you out after 300 seconds of
inactivity. Problem is that if you have two tabs open with the admin console, one
you're actively using and another in the background, the background tab will end up
logging you out after 300 seconds.
We can either remove this altogether (my preferred option) and let the SSO idle timeout
deal with it, or we could make sure your only logged out if there's no activity to the
console (can have tabs write a timestamp to html5 storage periodically and check this
before logging out).
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
7:29 a.m.
On 9/8/2014 4:00 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Friday, 5 September, 2014 10:34:22 PM
> Subject: [keycloak-dev] screencasts all updated
>
> man I hate doing screencasts, but they are finally updated. It really
> needed to be done as they were not in sync with the current version of
> keycloak. I haven't linked them yet though. I'll do that when we release.
Nice - next time I can pitch in and do a few ;)
>
> One thing that drove me crazy was that I kept on getting logged out of
> the admin console sporadically. Gotta figure out what is going wrong here.
Did you have multiple tabs open? We have a timer that logs you out after 300 seconds of
inactivity. Problem is that if you have two tabs open with the admin console, one
you're actively using and another in the background, the background tab will end up
logging you out after 300 seconds.
That might be it.
We can either remove this altogether (my preferred option) and let
the SSO idle timeout deal with it, or we could make sure your only logged out if
there's no activity to the console (can have tabs write a timestamp to html5 storage
periodically and check this before logging out).
Or just have the timer download the SSO idle timeout.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
7:37 a.m.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Monday, 8 September, 2014 2:29:59 PM
Subject: Re: [keycloak-dev] screencasts all updated
On 9/8/2014 4:00 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Friday, 5 September, 2014 10:34:22 PM
>> Subject: [keycloak-dev] screencasts all updated
>>
>> man I hate doing screencasts, but they are finally updated. It really
>> needed to be done as they were not in sync with the current version of
>> keycloak. I haven't linked them yet though. I'll do that when we
>> release.
>
> Nice - next time I can pitch in and do a few ;)
>
>>
>> One thing that drove me crazy was that I kept on getting logged out of
>> the admin console sporadically. Gotta figure out what is going wrong
>> here.
>
> Did you have multiple tabs open? We have a timer that logs you out after
> 300 seconds of inactivity. Problem is that if you have two tabs open with
> the admin console, one you're actively using and another in the
> background, the background tab will end up logging you out after 300
> seconds.
>
That might be it.
> We can either remove this altogether (my preferred option) and let the SSO
> idle timeout deal with it, or we could make sure your only logged out if
> there's no activity to the console (can have tabs write a timestamp to
> html5 storage periodically and check this before logging out).
>
Or just have the timer download the SSO idle timeout.
Not sure I follow. Wouldn't that just change the timeout value, but still leave an
inactive tab able to logout all tabs?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8:05 a.m.
On 9/8/2014 8:37 AM, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Monday, 8 September, 2014 2:29:59 PM
> Subject: Re: [keycloak-dev] screencasts all updated
>
>
>
> On 9/8/2014 4:00 AM, Stian Thorgersen wrote:
>>
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke(a)redhat.com>
>>> To: keycloak-dev(a)lists.jboss.org
>>> Sent: Friday, 5 September, 2014 10:34:22 PM
>>> Subject: [keycloak-dev] screencasts all updated
>>>
>>> man I hate doing screencasts, but they are finally updated. It really
>>> needed to be done as they were not in sync with the current version of
>>> keycloak. I haven't linked them yet though. I'll do that when we
>>> release.
>>
>> Nice - next time I can pitch in and do a few ;)
>>
>>>
>>> One thing that drove me crazy was that I kept on getting logged out of
>>> the admin console sporadically. Gotta figure out what is going wrong
>>> here.
>>
>> Did you have multiple tabs open? We have a timer that logs you out after
>> 300 seconds of inactivity. Problem is that if you have two tabs open with
>> the admin console, one you're actively using and another in the
>> background, the background tab will end up logging you out after 300
>> seconds.
>>
>
> That might be it.
>
>> We can either remove this altogether (my preferred option) and let the SSO
>> idle timeout deal with it, or we could make sure your only logged out if
>> there's no activity to the console (can have tabs write a timestamp to
>> html5 storage periodically and check this before logging out).
>>
>
> Or just have the timer download the SSO idle timeout.
Not sure I follow. Wouldn't that just change the timeout value, but still leave an
inactive tab able to logout all tabs?
Actually, are you sure that is it? I thought the timer was for the
timeout warning, not for anything else? I'm not even seeing the warning.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8:30 a.m.
Actually it seems we have two problems:
a) idletimeout plugin - this causes the logout if you have multiple tabs open. With the
SSO idle timeout feature this is not needed, so we should just remove it to fix this
issue
b) issue with sso idle timeout - I tried setting the SSO idle timeout to a low number (30
seconds), with access token lifespan lower (5 seconds) and was continuously browsing.
After 1 min or two I was logged out, even though I was continuously doing requests (and
network log shows it was doing refreshing the token)
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Monday, 8 September, 2014 3:05:47 PM
Subject: Re: [keycloak-dev] screencasts all updated
On 9/8/2014 8:37 AM, Stian Thorgersen wrote:
>
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Monday, 8 September, 2014 2:29:59 PM
>> Subject: Re: [keycloak-dev] screencasts all updated
>>
>>
>>
>> On 9/8/2014 4:00 AM, Stian Thorgersen wrote:
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>> To: keycloak-dev(a)lists.jboss.org
>>>> Sent: Friday, 5 September, 2014 10:34:22 PM
>>>> Subject: [keycloak-dev] screencasts all updated
>>>>
>>>> man I hate doing screencasts, but they are finally updated. It really
>>>> needed to be done as they were not in sync with the current version of
>>>> keycloak. I haven't linked them yet though. I'll do that when
we
>>>> release.
>>>
>>> Nice - next time I can pitch in and do a few ;)
>>>
>>>>
>>>> One thing that drove me crazy was that I kept on getting logged out of
>>>> the admin console sporadically. Gotta figure out what is going wrong
>>>> here.
>>>
>>> Did you have multiple tabs open? We have a timer that logs you out after
>>> 300 seconds of inactivity. Problem is that if you have two tabs open with
>>> the admin console, one you're actively using and another in the
>>> background, the background tab will end up logging you out after 300
>>> seconds.
>>>
>>
>> That might be it.
>>
>>> We can either remove this altogether (my preferred option) and let the
>>> SSO
>>> idle timeout deal with it, or we could make sure your only logged out if
>>> there's no activity to the console (can have tabs write a timestamp to
>>> html5 storage periodically and check this before logging out).
>>>
>>
>> Or just have the timer download the SSO idle timeout.
>
> Not sure I follow. Wouldn't that just change the timeout value, but still
> leave an inactive tab able to logout all tabs?
>
Actually, are you sure that is it? I thought the timer was for the
timeout warning, not for anything else? I'm not even seeing the warning.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9:04 a.m.
Think I've figured out what's going on with problem b.
UserSession.LastSessionRefresh is only updated if the next access token refresh is after
the timeout. The access token is also only refreshed when a request is made. With the
default values being:
* access token lifespan: 1 min
* sso idle timeout: 5 min
This means that a request has to be made between 4 min and 5 min after the last time
LastSessionRefresh was updated. So you can basically browse around all you want for 4
minutes, leave it idle for 60 seconds, then when you do the next request the session will
be timed out.
The simple solution seems to be to update LastSessionRefresh everytime the token is
refreshed. Then post-1.0.final come up with a better scheme to reduce the amount of writes
to UserSession.LastSessionRefresh
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Monday, 8 September, 2014 3:30:29 PM
Subject: Re: [keycloak-dev] screencasts all updated
Actually it seems we have two problems:
a) idletimeout plugin - this causes the logout if you have multiple tabs
open. With the SSO idle timeout feature this is not needed, so we should
just remove it to fix this issue
b) issue with sso idle timeout - I tried setting the SSO idle timeout to a
low number (30 seconds), with access token lifespan lower (5 seconds) and
was continuously browsing. After 1 min or two I was logged out, even though
I was continuously doing requests (and network log shows it was doing
refreshing the token)
----- Original Message -----
> From: "Bill Burke" <bburke(a)redhat.com>
> To: "Stian Thorgersen" <stian(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Monday, 8 September, 2014 3:05:47 PM
> Subject: Re: [keycloak-dev] screencasts all updated
>
>
>
> On 9/8/2014 8:37 AM, Stian Thorgersen wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke(a)redhat.com>
> >> To: "Stian Thorgersen" <stian(a)redhat.com>
> >> Cc: keycloak-dev(a)lists.jboss.org
> >> Sent: Monday, 8 September, 2014 2:29:59 PM
> >> Subject: Re: [keycloak-dev] screencasts all updated
> >>
> >>
> >>
> >> On 9/8/2014 4:00 AM, Stian Thorgersen wrote:
> >>>
> >>>
> >>> ----- Original Message -----
> >>>> From: "Bill Burke" <bburke(a)redhat.com>
> >>>> To: keycloak-dev(a)lists.jboss.org
> >>>> Sent: Friday, 5 September, 2014 10:34:22 PM
> >>>> Subject: [keycloak-dev] screencasts all updated
> >>>>
> >>>> man I hate doing screencasts, but they are finally updated. It
really
> >>>> needed to be done as they were not in sync with the current version
of
> >>>> keycloak. I haven't linked them yet though. I'll do that
when we
> >>>> release.
> >>>
> >>> Nice - next time I can pitch in and do a few ;)
> >>>
> >>>>
> >>>> One thing that drove me crazy was that I kept on getting logged out
of
> >>>> the admin console sporadically. Gotta figure out what is going
wrong
> >>>> here.
> >>>
> >>> Did you have multiple tabs open? We have a timer that logs you out
> >>> after
> >>> 300 seconds of inactivity. Problem is that if you have two tabs open
> >>> with
> >>> the admin console, one you're actively using and another in the
> >>> background, the background tab will end up logging you out after 300
> >>> seconds.
> >>>
> >>
> >> That might be it.
> >>
> >>> We can either remove this altogether (my preferred option) and let the
> >>> SSO
> >>> idle timeout deal with it, or we could make sure your only logged out
> >>> if
> >>> there's no activity to the console (can have tabs write a timestamp
to
> >>> html5 storage periodically and check this before logging out).
> >>>
> >>
> >> Or just have the timer download the SSO idle timeout.
> >
> > Not sure I follow. Wouldn't that just change the timeout value, but still
> > leave an inactive tab able to logout all tabs?
> >
>
> Actually, are you sure that is it? I thought the timer was for the
> timeout warning, not for anything else? I'm not even seeing the warning.
>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
9:10 a.m.
Ah, so the keycloak.js token refresh isn't based on a timer then. It is
checked/refreshed on demand.
On 9/8/2014 10:04 AM, Stian Thorgersen wrote:
Think I've figured out what's going on with problem b.
UserSession.LastSessionRefresh is only updated if the next access token refresh is after
the timeout. The access token is also only refreshed when a request is made. With the
default values being:
* access token lifespan: 1 min
* sso idle timeout: 5 min
This means that a request has to be made between 4 min and 5 min after the last time
LastSessionRefresh was updated. So you can basically browse around all you want for 4
minutes, leave it idle for 60 seconds, then when you do the next request the session will
be timed out.
The simple solution seems to be to update LastSessionRefresh everytime the token is
refreshed. Then post-1.0.final come up with a better scheme to reduce the amount of writes
to UserSession.LastSessionRefresh
----- Original Message -----
> From: "Stian Thorgersen" <stian(a)redhat.com>
> To: "Bill Burke" <bburke(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Monday, 8 September, 2014 3:30:29 PM
> Subject: Re: [keycloak-dev] screencasts all updated
>
> Actually it seems we have two problems:
>
> a) idletimeout plugin - this causes the logout if you have multiple tabs
> open. With the SSO idle timeout feature this is not needed, so we should
> just remove it to fix this issue
>
> b) issue with sso idle timeout - I tried setting the SSO idle timeout to a
> low number (30 seconds), with access token lifespan lower (5 seconds) and
> was continuously browsing. After 1 min or two I was logged out, even though
> I was continuously doing requests (and network log shows it was doing
> refreshing the token)
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Monday, 8 September, 2014 3:05:47 PM
>> Subject: Re: [keycloak-dev] screencasts all updated
>>
>>
>>
>> On 9/8/2014 8:37 AM, Stian Thorgersen wrote:
>>>
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>> Cc: keycloak-dev(a)lists.jboss.org
>>>> Sent: Monday, 8 September, 2014 2:29:59 PM
>>>> Subject: Re: [keycloak-dev] screencasts all updated
>>>>
>>>>
>>>>
>>>> On 9/8/2014 4:00 AM, Stian Thorgersen wrote:
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>>>> To: keycloak-dev(a)lists.jboss.org
>>>>>> Sent: Friday, 5 September, 2014 10:34:22 PM
>>>>>> Subject: [keycloak-dev] screencasts all updated
>>>>>>
>>>>>> man I hate doing screencasts, but they are finally updated. It
really
>>>>>> needed to be done as they were not in sync with the current
version of
>>>>>> keycloak. I haven't linked them yet though. I'll do
that when we
>>>>>> release.
>>>>>
>>>>> Nice - next time I can pitch in and do a few ;)
>>>>>
>>>>>>
>>>>>> One thing that drove me crazy was that I kept on getting logged
out of
>>>>>> the admin console sporadically. Gotta figure out what is going
wrong
>>>>>> here.
>>>>>
>>>>> Did you have multiple tabs open? We have a timer that logs you out
>>>>> after
>>>>> 300 seconds of inactivity. Problem is that if you have two tabs open
>>>>> with
>>>>> the admin console, one you're actively using and another in the
>>>>> background, the background tab will end up logging you out after 300
>>>>> seconds.
>>>>>
>>>>
>>>> That might be it.
>>>>
>>>>> We can either remove this altogether (my preferred option) and let
the
>>>>> SSO
>>>>> idle timeout deal with it, or we could make sure your only logged
out
>>>>> if
>>>>> there's no activity to the console (can have tabs write a
timestamp to
>>>>> html5 storage periodically and check this before logging out).
>>>>>
>>>>
>>>> Or just have the timer download the SSO idle timeout.
>>>
>>> Not sure I follow. Wouldn't that just change the timeout value, but
still
>>> leave an inactive tab able to logout all tabs?
>>>
>>
>> Actually, are you sure that is it? I thought the timer was for the
>> timeout warning, not for anything else? I'm not even seeing the warning.
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10:06 a.m.
Yep
I'll remove the idle-timeout plugin and also change the LastSessionRefresh to be
updated on each refresh. I'll also create a jira issue for 1.1 to figure out some way
to reduce amount of updates to LastSessionRefresh.
----- Original Message -----
From: "Bill Burke" <bburke(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Monday, 8 September, 2014 4:10:01 PM
Subject: Re: [keycloak-dev] screencasts all updated
Ah, so the keycloak.js token refresh isn't based on a timer then. It is
checked/refreshed on demand.
On 9/8/2014 10:04 AM, Stian Thorgersen wrote:
> Think I've figured out what's going on with problem b.
>
> UserSession.LastSessionRefresh is only updated if the next access token
> refresh is after the timeout. The access token is also only refreshed when
> a request is made. With the default values being:
>
> * access token lifespan: 1 min
> * sso idle timeout: 5 min
>
> This means that a request has to be made between 4 min and 5 min after the
> last time LastSessionRefresh was updated. So you can basically browse
> around all you want for 4 minutes, leave it idle for 60 seconds, then when
> you do the next request the session will be timed out.
>
> The simple solution seems to be to update LastSessionRefresh everytime the
> token is refreshed. Then post-1.0.final come up with a better scheme to
> reduce the amount of writes to UserSession.LastSessionRefresh
>
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian(a)redhat.com>
>> To: "Bill Burke" <bburke(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Monday, 8 September, 2014 3:30:29 PM
>> Subject: Re: [keycloak-dev] screencasts all updated
>>
>> Actually it seems we have two problems:
>>
>> a) idletimeout plugin - this causes the logout if you have multiple tabs
>> open. With the SSO idle timeout feature this is not needed, so we should
>> just remove it to fix this issue
>>
>> b) issue with sso idle timeout - I tried setting the SSO idle timeout to a
>> low number (30 seconds), with access token lifespan lower (5 seconds) and
>> was continuously browsing. After 1 min or two I was logged out, even
>> though
>> I was continuously doing requests (and network log shows it was doing
>> refreshing the token)
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke(a)redhat.com>
>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>> Cc: keycloak-dev(a)lists.jboss.org
>>> Sent: Monday, 8 September, 2014 3:05:47 PM
>>> Subject: Re: [keycloak-dev] screencasts all updated
>>>
>>>
>>>
>>> On 9/8/2014 8:37 AM, Stian Thorgersen wrote:
>>>>
>>>>
>>>> ----- Original Message -----
>>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>>> Cc: keycloak-dev(a)lists.jboss.org
>>>>> Sent: Monday, 8 September, 2014 2:29:59 PM
>>>>> Subject: Re: [keycloak-dev] screencasts all updated
>>>>>
>>>>>
>>>>>
>>>>> On 9/8/2014 4:00 AM, Stian Thorgersen wrote:
>>>>>>
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>>>>> To: keycloak-dev(a)lists.jboss.org
>>>>>>> Sent: Friday, 5 September, 2014 10:34:22 PM
>>>>>>> Subject: [keycloak-dev] screencasts all updated
>>>>>>>
>>>>>>> man I hate doing screencasts, but they are finally updated.
It
>>>>>>> really
>>>>>>> needed to be done as they were not in sync with the current
version
>>>>>>> of
>>>>>>> keycloak. I haven't linked them yet though. I'll
do that when we
>>>>>>> release.
>>>>>>
>>>>>> Nice - next time I can pitch in and do a few ;)
>>>>>>
>>>>>>>
>>>>>>> One thing that drove me crazy was that I kept on getting
logged out
>>>>>>> of
>>>>>>> the admin console sporadically. Gotta figure out what is
going wrong
>>>>>>> here.
>>>>>>
>>>>>> Did you have multiple tabs open? We have a timer that logs you
out
>>>>>> after
>>>>>> 300 seconds of inactivity. Problem is that if you have two tabs
open
>>>>>> with
>>>>>> the admin console, one you're actively using and another in
the
>>>>>> background, the background tab will end up logging you out after
300
>>>>>> seconds.
>>>>>>
>>>>>
>>>>> That might be it.
>>>>>
>>>>>> We can either remove this altogether (my preferred option) and
let the
>>>>>> SSO
>>>>>> idle timeout deal with it, or we could make sure your only
logged out
>>>>>> if
>>>>>> there's no activity to the console (can have tabs write a
timestamp to
>>>>>> html5 storage periodically and check this before logging out).
>>>>>>
>>>>>
>>>>> Or just have the timer download the SSO idle timeout.
>>>>
>>>> Not sure I follow. Wouldn't that just change the timeout value, but
>>>> still
>>>> leave an inactive tab able to logout all tabs?
>>>>
>>>
>>> Actually, are you sure that is it? I thought the timer was for the
>>> timeout warning, not for anything else? I'm not even seeing the
warning.
>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
1:47 a.m.
On 8.9.2014 16:04, Stian Thorgersen wrote:
Think I've figured out what's going on with problem b.
UserSession.LastSessionRefresh is only updated if the next access token refresh is after
the timeout. The access token is also only refreshed when a request is made. With the
default values being:
* access token lifespan: 1 min
* sso idle timeout: 5 min
This means that a request has to be made between 4 min and 5 min after the last time
LastSessionRefresh was updated. So you can basically browse around all you want for 4
minutes, leave it idle for 60 seconds, then when you do the next request the session will
be timed out.
The simple solution seems to be to update LastSessionRefresh everytime the token is
refreshed. Then post-1.0.final come up with a better scheme to reduce the amount of writes
to UserSession.LastSessionRefresh
I wonder if solution could be something simple
like:
long minAllowedInterval = min(5 minutes, (sso idle timeout - access
token lifespan) / 2);
if (System.currentTimeMillis() - lastSessionRefresh < minAllowedInterval) {
updateLastSessionRefresh();
}
This will mean that if timeouts are low like:
* access token lifespan: 1 min
* sso idle timeout: 5 min
then it will update lastSessionRefresh in every token refresh. On the
other hand with bigger values like:
* access token lifespan: 1 min
* sso idle timeout: 60 min
it will update lastSessionRefresh just if last refresh was older than
around 30 minutes (exactly 30,5 minutes).
This might be good compromise between flexibility and easiness. The
easiest approach might be to always update refresh or use some hardcoded
minAllowedInterval (like 10 minutes). The most flexible approach might
be to add another configuration option for configuring
minAllowedInterval, but I am not sure if it's needed (too much
configuration options for various timeouts might be confusing for people
imo).
Marek
----- Original Message -----
> From: "Stian Thorgersen" <stian(a)redhat.com>
> To: "Bill Burke" <bburke(a)redhat.com>
> Cc: keycloak-dev(a)lists.jboss.org
> Sent: Monday, 8 September, 2014 3:30:29 PM
> Subject: Re: [keycloak-dev] screencasts all updated
>
> Actually it seems we have two problems:
>
> a) idletimeout plugin - this causes the logout if you have multiple tabs
> open. With the SSO idle timeout feature this is not needed, so we should
> just remove it to fix this issue
>
> b) issue with sso idle timeout - I tried setting the SSO idle timeout to a
> low number (30 seconds), with access token lifespan lower (5 seconds) and
> was continuously browsing. After 1 min or two I was logged out, even though
> I was continuously doing requests (and network log shows it was doing
> refreshing the token)
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke(a)redhat.com>
>> To: "Stian Thorgersen" <stian(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Monday, 8 September, 2014 3:05:47 PM
>> Subject: Re: [keycloak-dev] screencasts all updated
>>
>>
>>
>> On 9/8/2014 8:37 AM, Stian Thorgersen wrote:
>>>
>>> ----- Original Message -----
>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>> Cc: keycloak-dev(a)lists.jboss.org
>>>> Sent: Monday, 8 September, 2014 2:29:59 PM
>>>> Subject: Re: [keycloak-dev] screencasts all updated
>>>>
>>>>
>>>>
>>>> On 9/8/2014 4:00 AM, Stian Thorgersen wrote:
>>>>>
>>>>> ----- Original Message -----
>>>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>>>> To: keycloak-dev(a)lists.jboss.org
>>>>>> Sent: Friday, 5 September, 2014 10:34:22 PM
>>>>>> Subject: [keycloak-dev] screencasts all updated
>>>>>>
>>>>>> man I hate doing screencasts, but they are finally updated. It
really
>>>>>> needed to be done as they were not in sync with the current
version of
>>>>>> keycloak. I haven't linked them yet though. I'll do
that when we
>>>>>> release.
>>>>> Nice - next time I can pitch in and do a few ;)
>>>>>
>>>>>> One thing that drove me crazy was that I kept on getting logged
out of
>>>>>> the admin console sporadically. Gotta figure out what is going
wrong
>>>>>> here.
>>>>> Did you have multiple tabs open? We have a timer that logs you out
>>>>> after
>>>>> 300 seconds of inactivity. Problem is that if you have two tabs open
>>>>> with
>>>>> the admin console, one you're actively using and another in the
>>>>> background, the background tab will end up logging you out after 300
>>>>> seconds.
>>>>>
>>>> That might be it.
>>>>
>>>>> We can either remove this altogether (my preferred option) and let
the
>>>>> SSO
>>>>> idle timeout deal with it, or we could make sure your only logged
out
>>>>> if
>>>>> there's no activity to the console (can have tabs write a
timestamp to
>>>>> html5 storage periodically and check this before logging out).
>>>>>
>>>> Or just have the timer download the SSO idle timeout.
>>> Not sure I follow. Wouldn't that just change the timeout value, but
still
>>> leave an inactive tab able to logout all tabs?
>>>
>> Actually, are you sure that is it? I thought the timer was for the
>> timeout warning, not for anything else? I'm not even seeing the warning.
>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3:03 a.m.
For now I'm changing it to update every time. At the moment we don't have cluster
support and all user sessions are stored in-mem so this is not an issue.
When we add cluster support we obviously need to distribute this. I think delaying the
update would be best in those cases. Basically we only distribute the last refresh if
it's close to expire.
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 9 September, 2014 8:47:17 AM
Subject: Re: [keycloak-dev] screencasts all updated
On 8.9.2014 16:04, Stian Thorgersen wrote:
> Think I've figured out what's going on with problem b.
>
> UserSession.LastSessionRefresh is only updated if the next access token
> refresh is after the timeout. The access token is also only refreshed when
> a request is made. With the default values being:
>
> * access token lifespan: 1 min
> * sso idle timeout: 5 min
>
> This means that a request has to be made between 4 min and 5 min after the
> last time LastSessionRefresh was updated. So you can basically browse
> around all you want for 4 minutes, leave it idle for 60 seconds, then when
> you do the next request the session will be timed out.
>
> The simple solution seems to be to update LastSessionRefresh everytime the
> token is refreshed. Then post-1.0.final come up with a better scheme to
> reduce the amount of writes to UserSession.LastSessionRefresh
I wonder if solution could be something simple like:
long minAllowedInterval = min(5 minutes, (sso idle timeout - access
token lifespan) / 2);
if (System.currentTimeMillis() - lastSessionRefresh < minAllowedInterval) {
updateLastSessionRefresh();
}
This will mean that if timeouts are low like:
* access token lifespan: 1 min
* sso idle timeout: 5 min
then it will update lastSessionRefresh in every token refresh. On the
other hand with bigger values like:
* access token lifespan: 1 min
* sso idle timeout: 60 min
it will update lastSessionRefresh just if last refresh was older than
around 30 minutes (exactly 30,5 minutes).
This might be good compromise between flexibility and easiness. The
easiest approach might be to always update refresh or use some hardcoded
minAllowedInterval (like 10 minutes). The most flexible approach might
be to add another configuration option for configuring
minAllowedInterval, but I am not sure if it's needed (too much
configuration options for various timeouts might be confusing for people
imo).
Marek
>
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian(a)redhat.com>
>> To: "Bill Burke" <bburke(a)redhat.com>
>> Cc: keycloak-dev(a)lists.jboss.org
>> Sent: Monday, 8 September, 2014 3:30:29 PM
>> Subject: Re: [keycloak-dev] screencasts all updated
>>
>> Actually it seems we have two problems:
>>
>> a) idletimeout plugin - this causes the logout if you have multiple tabs
>> open. With the SSO idle timeout feature this is not needed, so we should
>> just remove it to fix this issue
>>
>> b) issue with sso idle timeout - I tried setting the SSO idle timeout to a
>> low number (30 seconds), with access token lifespan lower (5 seconds) and
>> was continuously browsing. After 1 min or two I was logged out, even
>> though
>> I was continuously doing requests (and network log shows it was doing
>> refreshing the token)
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke(a)redhat.com>
>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>> Cc: keycloak-dev(a)lists.jboss.org
>>> Sent: Monday, 8 September, 2014 3:05:47 PM
>>> Subject: Re: [keycloak-dev] screencasts all updated
>>>
>>>
>>>
>>> On 9/8/2014 8:37 AM, Stian Thorgersen wrote:
>>>>
>>>> ----- Original Message -----
>>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
>>>>> Cc: keycloak-dev(a)lists.jboss.org
>>>>> Sent: Monday, 8 September, 2014 2:29:59 PM
>>>>> Subject: Re: [keycloak-dev] screencasts all updated
>>>>>
>>>>>
>>>>>
>>>>> On 9/8/2014 4:00 AM, Stian Thorgersen wrote:
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Bill Burke" <bburke(a)redhat.com>
>>>>>>> To: keycloak-dev(a)lists.jboss.org
>>>>>>> Sent: Friday, 5 September, 2014 10:34:22 PM
>>>>>>> Subject: [keycloak-dev] screencasts all updated
>>>>>>>
>>>>>>> man I hate doing screencasts, but they are finally updated.
It
>>>>>>> really
>>>>>>> needed to be done as they were not in sync with the current
version
>>>>>>> of
>>>>>>> keycloak. I haven't linked them yet though. I'll
do that when we
>>>>>>> release.
>>>>>> Nice - next time I can pitch in and do a few ;)
>>>>>>
>>>>>>> One thing that drove me crazy was that I kept on getting
logged out
>>>>>>> of
>>>>>>> the admin console sporadically. Gotta figure out what is
going wrong
>>>>>>> here.
>>>>>> Did you have multiple tabs open? We have a timer that logs you
out
>>>>>> after
>>>>>> 300 seconds of inactivity. Problem is that if you have two tabs
open
>>>>>> with
>>>>>> the admin console, one you're actively using and another in
the
>>>>>> background, the background tab will end up logging you out after
300
>>>>>> seconds.
>>>>>>
>>>>> That might be it.
>>>>>
>>>>>> We can either remove this altogether (my preferred option) and
let the
>>>>>> SSO
>>>>>> idle timeout deal with it, or we could make sure your only
logged out
>>>>>> if
>>>>>> there's no activity to the console (can have tabs write a
timestamp to
>>>>>> html5 storage periodically and check this before logging out).
>>>>>>
>>>>> Or just have the timer download the SSO idle timeout.
>>>> Not sure I follow. Wouldn't that just change the timeout value, but
>>>> still
>>>> leave an inactive tab able to logout all tabs?
>>>>
>>> Actually, are you sure that is it? I thought the timer was for the
>>> timeout warning, not for anything else? I'm not even seeing the
warning.
>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
6:48 a.m.
I've fixed the user session and removed the idle-timeout.
I also noticed that the admin console was doing 3 requests to refresh the token every time
it expired. I fixed this by making sure only a single refresh request is sent
concurrently, others just add to a queue waiting for the refresh token response.
----- Original Message -----
From: "Stian Thorgersen" <stian(a)redhat.com>
To: "Marek Posolda" <mposolda(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 9 September, 2014 10:03:18 AM
Subject: Re: [keycloak-dev] screencasts all updated
For now I'm changing it to update every time. At the moment we don't have
cluster support and all user sessions are stored in-mem so this is not an
issue.
When we add cluster support we obviously need to distribute this. I think
delaying the update would be best in those cases. Basically we only
distribute the last refresh if it's close to expire.
----- Original Message -----
> From: "Marek Posolda" <mposolda(a)redhat.com>
> To: keycloak-dev(a)lists.jboss.org
> Sent: Tuesday, 9 September, 2014 8:47:17 AM
> Subject: Re: [keycloak-dev] screencasts all updated
>
> On 8.9.2014 16:04, Stian Thorgersen wrote:
> > Think I've figured out what's going on with problem b.
> >
> > UserSession.LastSessionRefresh is only updated if the next access token
> > refresh is after the timeout. The access token is also only refreshed
> > when
> > a request is made. With the default values being:
> >
> > * access token lifespan: 1 min
> > * sso idle timeout: 5 min
> >
> > This means that a request has to be made between 4 min and 5 min after
> > the
> > last time LastSessionRefresh was updated. So you can basically browse
> > around all you want for 4 minutes, leave it idle for 60 seconds, then
> > when
> > you do the next request the session will be timed out.
> >
> > The simple solution seems to be to update LastSessionRefresh everytime
> > the
> > token is refreshed. Then post-1.0.final come up with a better scheme to
> > reduce the amount of writes to UserSession.LastSessionRefresh
> I wonder if solution could be something simple like:
>
> long minAllowedInterval = min(5 minutes, (sso idle timeout - access
> token lifespan) / 2);
> if (System.currentTimeMillis() - lastSessionRefresh < minAllowedInterval) {
> updateLastSessionRefresh();
> }
>
> This will mean that if timeouts are low like:
>
> * access token lifespan: 1 min
> * sso idle timeout: 5 min
>
> then it will update lastSessionRefresh in every token refresh. On the
> other hand with bigger values like:
>
> * access token lifespan: 1 min
> * sso idle timeout: 60 min
>
> it will update lastSessionRefresh just if last refresh was older than
> around 30 minutes (exactly 30,5 minutes).
>
> This might be good compromise between flexibility and easiness. The
> easiest approach might be to always update refresh or use some hardcoded
> minAllowedInterval (like 10 minutes). The most flexible approach might
> be to add another configuration option for configuring
> minAllowedInterval, but I am not sure if it's needed (too much
> configuration options for various timeouts might be confusing for people
> imo).
>
> Marek
> >
> > ----- Original Message -----
> >> From: "Stian Thorgersen" <stian(a)redhat.com>
> >> To: "Bill Burke" <bburke(a)redhat.com>
> >> Cc: keycloak-dev(a)lists.jboss.org
> >> Sent: Monday, 8 September, 2014 3:30:29 PM
> >> Subject: Re: [keycloak-dev] screencasts all updated
> >>
> >> Actually it seems we have two problems:
> >>
> >> a) idletimeout plugin - this causes the logout if you have multiple tabs
> >> open. With the SSO idle timeout feature this is not needed, so we should
> >> just remove it to fix this issue
> >>
> >> b) issue with sso idle timeout - I tried setting the SSO idle timeout to
> >> a
> >> low number (30 seconds), with access token lifespan lower (5 seconds)
> >> and
> >> was continuously browsing. After 1 min or two I was logged out, even
> >> though
> >> I was continuously doing requests (and network log shows it was doing
> >> refreshing the token)
> >>
> >> ----- Original Message -----
> >>> From: "Bill Burke" <bburke(a)redhat.com>
> >>> To: "Stian Thorgersen" <stian(a)redhat.com>
> >>> Cc: keycloak-dev(a)lists.jboss.org
> >>> Sent: Monday, 8 September, 2014 3:05:47 PM
> >>> Subject: Re: [keycloak-dev] screencasts all updated
> >>>
> >>>
> >>>
> >>> On 9/8/2014 8:37 AM, Stian Thorgersen wrote:
> >>>>
> >>>> ----- Original Message -----
> >>>>> From: "Bill Burke" <bburke(a)redhat.com>
> >>>>> To: "Stian Thorgersen" <stian(a)redhat.com>
> >>>>> Cc: keycloak-dev(a)lists.jboss.org
> >>>>> Sent: Monday, 8 September, 2014 2:29:59 PM
> >>>>> Subject: Re: [keycloak-dev] screencasts all updated
> >>>>>
> >>>>>
> >>>>>
> >>>>> On 9/8/2014 4:00 AM, Stian Thorgersen wrote:
> >>>>>>
> >>>>>> ----- Original Message -----
> >>>>>>> From: "Bill Burke" <bburke(a)redhat.com>
> >>>>>>> To: keycloak-dev(a)lists.jboss.org
> >>>>>>> Sent: Friday, 5 September, 2014 10:34:22 PM
> >>>>>>> Subject: [keycloak-dev] screencasts all updated
> >>>>>>>
> >>>>>>> man I hate doing screencasts, but they are finally
updated. It
> >>>>>>> really
> >>>>>>> needed to be done as they were not in sync with the
current version
> >>>>>>> of
> >>>>>>> keycloak. I haven't linked them yet though.
I'll do that when we
> >>>>>>> release.
> >>>>>> Nice - next time I can pitch in and do a few ;)
> >>>>>>
> >>>>>>> One thing that drove me crazy was that I kept on
getting logged out
> >>>>>>> of
> >>>>>>> the admin console sporadically. Gotta figure out what
is going
> >>>>>>> wrong
> >>>>>>> here.
> >>>>>> Did you have multiple tabs open? We have a timer that logs
you out
> >>>>>> after
> >>>>>> 300 seconds of inactivity. Problem is that if you have two
tabs open
> >>>>>> with
> >>>>>> the admin console, one you're actively using and
another in the
> >>>>>> background, the background tab will end up logging you out
after 300
> >>>>>> seconds.
> >>>>>>
> >>>>> That might be it.
> >>>>>
> >>>>>> We can either remove this altogether (my preferred option)
and let
> >>>>>> the
> >>>>>> SSO
> >>>>>> idle timeout deal with it, or we could make sure your only
logged
> >>>>>> out
> >>>>>> if
> >>>>>> there's no activity to the console (can have tabs write
a timestamp
> >>>>>> to
> >>>>>> html5 storage periodically and check this before logging
out).
> >>>>>>
> >>>>> Or just have the timer download the SSO idle timeout.
> >>>> Not sure I follow. Wouldn't that just change the timeout value,
but
> >>>> still
> >>>> leave an inactive tab able to logout all tabs?
> >>>>
> >>> Actually, are you sure that is it? I thought the timer was for the
> >>> timeout warning, not for anything else? I'm not even seeing the
> >>> warning.
> >>>
> >>>
> >>> --
> >>> Bill Burke
> >>> JBoss, a division of Red Hat
> >>> http://bill.burkecentral.com
> >>>
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev(a)lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3765
days inactive
3769
days old
11 comments
3 participants
participants (3)
-
Bill Burke -
Marek Posolda -
Stian Thorgersen