5:41 a.m.
We have node js integrated with keycloak & keycloak is running as a service
in jboss.
There are many http requests being sent from browser to server in the
background as part of auto refresh of some tables.
So if user has opened browser & remains inactive; in the background many
requests are made. Keycloak will never detect inactivity & hence session
will never be invalidated after session inactivity timeout.
Is there a way in keycloak to ignore such background requests from being
considered for session alive scenarios?
1:38 a.m.
As long as the token is refreshed Keycloak sees it as an active user.
Simplest option would be to make your app stop doing the background
requests after a while, which would result in in the session timing out. It
could also trigger a logout of the user from the application itself.
Alternatively we could potentially do something like having adding a
proprietary option to the refresh request to prevent it being seen as "user
activity", but I'm less keen on that since it'd be non-standard OIDC.
On 7 September 2016 at 12:41, sheishere b <sheishere48(a)gmail.com> wrote:
We have node js integrated with keycloak & keycloak is running as
a
service in jboss.
There are many http requests being sent from browser to server in the
background as part of auto refresh of some tables.
So if user has opened browser & remains inactive; in the background many
requests are made. Keycloak will never detect inactivity & hence session
will never be invalidated after session inactivity timeout.
Is there a way in keycloak to ignore such background requests from being
considered for session alive scenarios?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1:44 a.m.
Thanks for your input
On Thu, Sep 8, 2016 at 12:08 PM, Stian Thorgersen <sthorger(a)redhat.com>
wrote:
As long as the token is refreshed Keycloak sees it as an active
user.
Simplest option would be to make your app stop doing the background
requests after a while, which would result in in the session timing out. It
could also trigger a logout of the user from the application itself.
Alternatively we could potentially do something like having adding a
proprietary option to the refresh request to prevent it being seen as "user
activity", but I'm less keen on that since it'd be non-standard OIDC.
On 7 September 2016 at 12:41, sheishere b <sheishere48(a)gmail.com> wrote:
> We have node js integrated with keycloak & keycloak is running as a
> service in jboss.
> There are many http requests being sent from browser to server in the
> background as part of auto refresh of some tables.
> So if user has opened browser & remains inactive; in the background many
> requests are made. Keycloak will never detect inactivity & hence session
> will never be invalidated after session inactivity timeout.
> Is there a way in keycloak to ignore such background requests from being
> considered for session alive scenarios?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
3499
days inactive
3507
days old
2 comments
2 participants
participants (2)
-
sheishere b -
Stian Thorgersen