11:06 a.m.
Hi all,
I'm using keycloak 2.2.1 to secure my application. The application can
be accessed both via web and mobile (Android app). Both of them use the
authorization code flow, which I believe it's the ideal form of
authentication for my case.
The topic I want to clarify here is token lifespans. As far as I
understand, the SSO session idle timeout determines how long can a token
last without being refreshed. On the other hand, SSO session max
determines how long can a token last, even if it's being refreshed once
and again. Well, now couple of questions:
1. Is there a way to make the web session limited to, let's say, 30
minutes and to have a long lived refresh token for the app?
2. How to deal with the refresh token in the app? What I do right now is
to launch a webview when application starts and store the access and
refresh tokens in user preferences (which is secured in Android). I wrap
each http request made from the app and add the access token, unless it
has expired, then I request a new access token with the refresh token.
But when should I check the validity for the refresh token itself? I
don't want a chain of requests being interrupted because of the refresh
token being expired!
Thanks in advanced for your help!
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
2:55 a.m.
Hi,
I think you should look at offline tokens, introduced in Keycloak 1.6.1 [1]
[1] http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html
On 11/15/2016 06:06 PM, Aritz Maeztu wrote:
Hi all,
I'm using keycloak 2.2.1 to secure my application. The application can
be accessed both via web and mobile (Android app). Both of them use the
authorization code flow, which I believe it's the ideal form of
authentication for my case.
The topic I want to clarify here is token lifespans. As far as I
understand, the SSO session idle timeout determines how long can a token
last without being refreshed. On the other hand, SSO session max
determines how long can a token last, even if it's being refreshed once
and again. Well, now couple of questions:
1. Is there a way to make the web session limited to, let's say, 30
minutes and to have a long lived refresh token for the app?
2. How to deal with the refresh token in the app? What I do right now is
to launch a webview when application starts and store the access and
refresh tokens in user preferences (which is secured in Android). I wrap
each http request made from the app and add the access token, unless it
has expired, then I request a new access token with the refresh token.
But when should I check the validity for the refresh token itself? I
don't want a chain of requests being interrupted because of the refresh
token being expired!
Thanks in advanced for your help!
--
Iván
3:52 a.m.
Found the location of the "Offline Access" section:
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/se...
On 11/16/2016 09:55 AM, Iván Perdomo wrote:
Hi,
I think you should look at offline tokens, introduced in Keycloak 1.6.1 [1]
[1] http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html
On 11/15/2016 06:06 PM, Aritz Maeztu wrote:
> Hi all,
>
> I'm using keycloak 2.2.1 to secure my application. The application can
> be accessed both via web and mobile (Android app). Both of them use the
> authorization code flow, which I believe it's the ideal form of
> authentication for my case.
>
> The topic I want to clarify here is token lifespans. As far as I
> understand, the SSO session idle timeout determines how long can a token
> last without being refreshed. On the other hand, SSO session max
> determines how long can a token last, even if it's being refreshed once
> and again. Well, now couple of questions:
>
> 1. Is there a way to make the web session limited to, let's say, 30
> minutes and to have a long lived refresh token for the app?
>
> 2. How to deal with the refresh token in the app? What I do right now is
> to launch a webview when application starts and store the access and
> refresh tokens in user preferences (which is secured in Android). I wrap
> each http request made from the app and add the access token, unless it
> has expired, then I request a new access token with the refresh token.
> But when should I check the validity for the refresh token itself? I
> don't want a chain of requests being interrupted because of the refresh
> token being expired!
>
> Thanks in advanced for your help!
>
>
--
Iván
7:10 a.m.
Hi Artiz,
as Iván mentioned, you should have a look at offline refresh tokens
(requested by using the scope=offline_access query parameter in your
authorization code flow initial request).
An offline token has a different semantic and timeout. From what I've
tested "SSO Session Idle" and "SSO Session Max" don't apply to
them, only
"Offline Session Idle". Offline Session Idle is the maximum delay between
last refresh and session expiry. Let say your Offline Session Idle is 30
days and you refresh your token after 15 days, this will reset the offline
session timeout again. You can basically have an infinite session if the
user uses frequently the token.
Gabriel
2016-11-16 4:52 GMT-05:00 Iván Perdomo <ivan(a)akvo.org>:
Found the location of the "Offline Access" section:
https://keycloak.gitbooks.io/server-adminstration-guide/
content/topics/sessions/offline.html
On 11/16/2016 09:55 AM, Iván Perdomo wrote:
> Hi,
>
> I think you should look at offline tokens, introduced in Keycloak 1.6.1
[1]
>
> [1] http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html
>
> On 11/15/2016 06:06 PM, Aritz Maeztu wrote:
>> Hi all,
>>
>> I'm using keycloak 2.2.1 to secure my application. The application can
>> be accessed both via web and mobile (Android app). Both of them use the
>> authorization code flow, which I believe it's the ideal form of
>> authentication for my case.
>>
>> The topic I want to clarify here is token lifespans. As far as I
>> understand, the SSO session idle timeout determines how long can a token
>> last without being refreshed. On the other hand, SSO session max
>> determines how long can a token last, even if it's being refreshed once
>> and again. Well, now couple of questions:
>>
>> 1. Is there a way to make the web session limited to, let's say, 30
>> minutes and to have a long lived refresh token for the app?
>>
>> 2. How to deal with the refresh token in the app? What I do right now is
>> to launch a webview when application starts and store the access and
>> refresh tokens in user preferences (which is secured in Android). I wrap
>> each http request made from the app and add the access token, unless it
>> has expired, then I request a new access token with the refresh token.
>> But when should I check the validity for the refresh token itself? I
>> don't want a chain of requests being interrupted because of the refresh
>> token being expired!
>>
>> Thanks in advanced for your help!
>>
>>
>
--
Iván
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Gabriel Lavoie
glavoie(a)gmail.com
2768
days inactive
2770
days old
3 comments
3 participants
participants (3)
-
Aritz Maeztu -
Gabriel Lavoie -
Iván Perdomo