----- Original Message -----
From: "John DODGE CONSULTING SERVICES Schneider, LLC"
<John.Schneider(a)carrier.utc.com>
To: keycloak-user(a)lists.jboss.org
Sent: Friday, 22 August, 2014 3:52:47 PM
Subject: Re: [keycloak-user] SSO Session Idle Timeout for Direct
My application is checking the access token timeout and refreshing it if
expired. The thing is, the tokens are being invalidated after the SSO
session timeout. So if I have the access token timeout set to 4 hours, and
the SSO timeout set to 15 minutes, the access token and refresh tokens are
both invalidated after only 15 minutes.
It doesn't really make much sense to have idle timeout shorter than access token
timeout. For example in your case above the user session is logged out after 15 min, but
an application can still access services using the token for nearly another 4 hours.
Date: Thu, 21 Aug 2014 17:34:16 -0400
From: Bill Burke < bburke(a)redhat.com >
Subject: Re: [keycloak-user] SSO Session Idle Timeout for Direct
Grants
To: keycloak-user(a)lists.jboss.org
Message-ID: < 53F665D8.9000303(a)redhat.com >
Content-Type: text/plain; charset=windows-1252; format=flowed
I don't agree...
Your application should be checking for token timeouts and performing a
refresh. The response from direct-grant gives you a refresh token as
well as an access token as well as a timeout (which you could check from
the access token).
Since you have a refresh token, you can refresh the access token. You
still want the same setup: Short access token lifespan
(seconds/minutes) with a longer refresh timeout minutes/hours. This is
for revocation checks, permission changes, etc.
I could set up a different SSO timeout/access token timeout for grant
requests if you want, but that would have to be after 1.0.final.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user