As long as the token is refreshed Keycloak sees it as an active user. Simplest option would be to make your app stop doing the background requests after a while, which would result in in the session timing out. It could also trigger a logout of the user from the application itself. Alternatively we could potentially do something like having adding a proprietary option to the refresh request to prevent it being seen as "user activity", but I'm less keen on that since it'd be non-standard OIDC.

On 7 September 2016 at 12:41, sheishere b <sheishere48@gmail.com> wrote:

We have node js integrated with keycloak & keycloak is running as a service in jboss.

There are many http requests being sent from browser to server in the background as part of auto refresh of some tables.

So if user has opened browser & remains inactive; in the background many requests are made. Keycloak will never detect inactivity & hence session will never be invalidated after session inactivity timeout.

Is there a way in keycloak to ignore such background requests from being considered for session alive scenarios?

_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user