Hi all,
I'm using keycloak 2.2.1 to secure my application. The application can
be accessed both via web and mobile (Android app). Both of them use the
authorization code flow, which I believe it's the ideal form of
authentication for my case.
The topic I want to clarify here is token lifespans. As far as I
understand, the SSO session idle timeout determines how long can a token
last without being refreshed. On the other hand, SSO session max
determines how long can a token last, even if it's being refreshed once
and again. Well, now couple of questions:
1. Is there a way to make the web session limited to, let's say, 30
minutes and to have a long lived refresh token for the app?
2. How to deal with the refresh token in the app? What I do right now is
to launch a webview when application starts and store the access and
refresh tokens in user preferences (which is secured in Android). I wrap
each http request made from the app and add the access token, unless it
has expired, then I request a new access token with the refresh token.
But when should I check the validity for the refresh token itself? I
don't want a chain of requests being interrupted because of the refresh
token being expired!
Thanks in advanced for your help!
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<
https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<
http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.