Have few questions related to cookies & rememberMe.
1) Actually the KEYCLOAK_IDENTITY cookie is generated with the -1 by
default (so expires when browser is closed). Thing is that lifespan of
the identityToken generated in AuthenticationManager.createIdentityToken
is just ssoSessionIdleTimeout, which is 10 minutes by default. And
cookie is refreshed just during cookie SSO login. So for example when I
have scenario like:
* Login to admin console
* Do some admin work for 15 minutes
* Then click to "Manage my account" button (or to some other Keycloak
secured application), the token in the KEYCLOAK_IDENTITY cookie is not
valid anymore, so I am immediately logged out. Note that UserSession is
still valid as I had couple of refreshToken requests during my 15
minutes 'admin' work.
So my question is if we can use ssoSessionMaxLifespan for the identity
token instead of ssoSessionIdleTimeout? Note that even in cookie
authentication, we are also checking if UserSession is valid. So if
UserSession is expired, the login won't be successful anyway.
2) Second thing is RememberMe feature. Actually we have
KEYCLOAK_REMEMBER_ME cookie, which is set after successful login with
rememberMe. But this cookie is actually not used anywhere for relogin!
Only thing is KEYCLOAK_IDENTITY cookie set with the lifespan of
ssoSessionIdleTimeout, so once you restart browser, KEYCLOAK_IDENTITY
cookie will survive and you will be able to relogin.
Problem is that KEYCLOAK_IDENTITY is tight to particular UserSession. So
for example if I have scenario like:
* Login to admin console
* Close my browser and wait 15 minutes
* Then open my browser and try to relogin --- ATM both UserSession and
KEYCLOAK_IDENTITY cookie are not valid anymore so rememberMe doesn't
work and Keycloak login screen is displayed to me.
Also scenario like:
* Login to admin console
* Close my browser and restart Keycloak
* Then open my browser and try to relogin --- rememberMe also won't work
as UserSession is not valid (unless I am using 'jpa' or 'mongo'
UserSession provider).
IMO RememberMe shouldn't be tight to particular UserSession. I would
expect that when I start browser next day, I will be automatically
logged in even if my UserSession from previous day is already expired.
It seems that to properly support RememberMe, we should use
KEYCLOAK_REMEMBER_ME cookie instead of KEYCLOAK_IDENTITY . IMO value of
KEYCLOAK_REMEMBER_ME cookie should be random token signed by realm
privateKey and valid just for one use (Each RememberMe login will
regenerate token and refresh value of KEYCLOAK_REMEMBER_ME cookie) .
This would mean that we will need to persist stuff related to rememberMe
with some additional related informations (realm, user, timestamp,
ipAddress). So for example if admin will set Not-Before for realm, it
will also invalidate all stored rememberMe tokens.
It seems that this will require some model changes and amount of work,
but ATM RememberMe feature seems to be quite unusable to me.
wdyt?
Marek
Show replies by date