[keycloak-dev] screencasts all updated
Stian Thorgersen
stian at redhat.com
Mon Sep 8 10:04:21 EDT 2014
Think I've figured out what's going on with problem b.
UserSession.LastSessionRefresh is only updated if the next access token refresh is after the timeout. The access token is also only refreshed when a request is made. With the default values being:
* access token lifespan: 1 min
* sso idle timeout: 5 min
This means that a request has to be made between 4 min and 5 min after the last time LastSessionRefresh was updated. So you can basically browse around all you want for 4 minutes, leave it idle for 60 seconds, then when you do the next request the session will be timed out.
The simple solution seems to be to update LastSessionRefresh everytime the token is refreshed. Then post-1.0.final come up with a better scheme to reduce the amount of writes to UserSession.LastSessionRefresh
----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Bill Burke" <bburke at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Monday, 8 September, 2014 3:30:29 PM
> Subject: Re: [keycloak-dev] screencasts all updated
>
> Actually it seems we have two problems:
>
> a) idletimeout plugin - this causes the logout if you have multiple tabs
> open. With the SSO idle timeout feature this is not needed, so we should
> just remove it to fix this issue
>
> b) issue with sso idle timeout - I tried setting the SSO idle timeout to a
> low number (30 seconds), with access token lifespan lower (5 seconds) and
> was continuously browsing. After 1 min or two I was logged out, even though
> I was continuously doing requests (and network log shows it was doing
> refreshing the token)
>
> ----- Original Message -----
> > From: "Bill Burke" <bburke at redhat.com>
> > To: "Stian Thorgersen" <stian at redhat.com>
> > Cc: keycloak-dev at lists.jboss.org
> > Sent: Monday, 8 September, 2014 3:05:47 PM
> > Subject: Re: [keycloak-dev] screencasts all updated
> >
> >
> >
> > On 9/8/2014 8:37 AM, Stian Thorgersen wrote:
> > >
> > >
> > > ----- Original Message -----
> > >> From: "Bill Burke" <bburke at redhat.com>
> > >> To: "Stian Thorgersen" <stian at redhat.com>
> > >> Cc: keycloak-dev at lists.jboss.org
> > >> Sent: Monday, 8 September, 2014 2:29:59 PM
> > >> Subject: Re: [keycloak-dev] screencasts all updated
> > >>
> > >>
> > >>
> > >> On 9/8/2014 4:00 AM, Stian Thorgersen wrote:
> > >>>
> > >>>
> > >>> ----- Original Message -----
> > >>>> From: "Bill Burke" <bburke at redhat.com>
> > >>>> To: keycloak-dev at lists.jboss.org
> > >>>> Sent: Friday, 5 September, 2014 10:34:22 PM
> > >>>> Subject: [keycloak-dev] screencasts all updated
> > >>>>
> > >>>> man I hate doing screencasts, but they are finally updated. It really
> > >>>> needed to be done as they were not in sync with the current version of
> > >>>> keycloak. I haven't linked them yet though. I'll do that when we
> > >>>> release.
> > >>>
> > >>> Nice - next time I can pitch in and do a few ;)
> > >>>
> > >>>>
> > >>>> One thing that drove me crazy was that I kept on getting logged out of
> > >>>> the admin console sporadically. Gotta figure out what is going wrong
> > >>>> here.
> > >>>
> > >>> Did you have multiple tabs open? We have a timer that logs you out
> > >>> after
> > >>> 300 seconds of inactivity. Problem is that if you have two tabs open
> > >>> with
> > >>> the admin console, one you're actively using and another in the
> > >>> background, the background tab will end up logging you out after 300
> > >>> seconds.
> > >>>
> > >>
> > >> That might be it.
> > >>
> > >>> We can either remove this altogether (my preferred option) and let the
> > >>> SSO
> > >>> idle timeout deal with it, or we could make sure your only logged out
> > >>> if
> > >>> there's no activity to the console (can have tabs write a timestamp to
> > >>> html5 storage periodically and check this before logging out).
> > >>>
> > >>
> > >> Or just have the timer download the SSO idle timeout.
> > >
> > > Not sure I follow. Wouldn't that just change the timeout value, but still
> > > leave an inactive tab able to logout all tabs?
> > >
> >
> > Actually, are you sure that is it? I thought the timer was for the
> > timeout warning, not for anything else? I'm not even seeing the warning.
> >
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list