My application is checking the access token timeout and refreshing it if expired. The
thing is, the tokens are being invalidated after the SSO session timeout. So if I have
the access token timeout set to 4 hours, and the SSO timeout set to 15 minutes, the access
token and refresh tokens are both invalidated after only 15 minutes.
Date: Thu, 21 Aug 2014 17:34:16 -0400
From: Bill Burke <bburke@redhat.com<mailto:bburke@redhat.com>>
Subject: Re: [keycloak-user] SSO Session Idle Timeout for Direct
Grants
To: keycloak-user@lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
Message-ID: <53F665D8.9000303@redhat.com<mailto:53F665D8.9000303@redhat.com>>
Content-Type: text/plain; charset=windows-1252; format=flowed
I don't agree...
Your application should be checking for token timeouts and performing a
refresh. The response from direct-grant gives you a refresh token as
well as an access token as well as a timeout (which you could check from
the access token).
Since you have a refresh token, you can refresh the access token. You
still want the same setup: Short access token lifespan
(seconds/minutes) with a longer refresh timeout minutes/hours. This is
for revocation checks, permission changes, etc.
I could set up a different SSO timeout/access token timeout for grant
requests if you want, but that would have to be after 1.0.final.