[keycloak-dev] session idle timeout implemented
Bill Burke
bburke at redhat.com
Fri May 16 08:55:17 EDT 2014
There is no more:
centralLoginLifespan
refreshTokenLifespan
Instead there is:
ssoSessionIdleTimeout
ssoSessionMaxLifespan
UserSessionModel has removed:
expires
Replaced it with:
lastSessionRefresh
The way it works is as follows. At every cookie validation or
refreshToken, the session is invalidated if the session has been idle
for a period of time, or the session has reached it's max age.
lastSessionRefresh is a timestamp which is updated at every cookie
authentication or refreshToken. For refreshToken, it is only updated if
accessCodeLifespan + lastSessionRefresh time will happen after the next
idle timeout.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list