My application is checking the access token timeout and refreshing it if expired. The thing is, the tokens are being invalidated after the SSO session timeout.  So if I have the access token timeout set to 4 hours, and the SSO timeout set to 15 minutes, the access token and refresh tokens are both invalidated after only 15 minutes.

 

 

Date: Thu, 21 Aug 2014 17:34:16 -0400

From: Bill Burke <bburke@redhat.com>

Subject: Re: [keycloak-user] SSO Session Idle Timeout for Direct

                Grants

To: keycloak-user@lists.jboss.org

Message-ID: <53F665D8.9000303@redhat.com>

Content-Type: text/plain; charset=windows-1252; format=flowed

 

I don't agree...

 

Your application should be checking for token timeouts and performing a

refresh.  The response from direct-grant gives you a refresh token as

well as an access token as well as a timeout (which you could check from

the access token).

 

Since you have a refresh token, you can refresh the access token.  You

still want the same setup:  Short access token lifespan

(seconds/minutes) with a longer refresh timeout minutes/hours.  This is

for revocation checks, permission changes, etc.

 

I could set up a different SSO timeout/access token timeout for grant

requests if you want, but that would have to be after 1.0.final.