[keycloak-dev] screencasts all updated
Bill Burke
bburke at redhat.com
Mon Sep 8 10:10:01 EDT 2014
Ah, so the keycloak.js token refresh isn't based on a timer then. It is
checked/refreshed on demand.
On 9/8/2014 10:04 AM, Stian Thorgersen wrote:
> Think I've figured out what's going on with problem b.
>
> UserSession.LastSessionRefresh is only updated if the next access token refresh is after the timeout. The access token is also only refreshed when a request is made. With the default values being:
>
> * access token lifespan: 1 min
> * sso idle timeout: 5 min
>
> This means that a request has to be made between 4 min and 5 min after the last time LastSessionRefresh was updated. So you can basically browse around all you want for 4 minutes, leave it idle for 60 seconds, then when you do the next request the session will be timed out.
>
> The simple solution seems to be to update LastSessionRefresh everytime the token is refreshed. Then post-1.0.final come up with a better scheme to reduce the amount of writes to UserSession.LastSessionRefresh
>
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian at redhat.com>
>> To: "Bill Burke" <bburke at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Monday, 8 September, 2014 3:30:29 PM
>> Subject: Re: [keycloak-dev] screencasts all updated
>>
>> Actually it seems we have two problems:
>>
>> a) idletimeout plugin - this causes the logout if you have multiple tabs
>> open. With the SSO idle timeout feature this is not needed, so we should
>> just remove it to fix this issue
>>
>> b) issue with sso idle timeout - I tried setting the SSO idle timeout to a
>> low number (30 seconds), with access token lifespan lower (5 seconds) and
>> was continuously browsing. After 1 min or two I was logged out, even though
>> I was continuously doing requests (and network log shows it was doing
>> refreshing the token)
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: "Stian Thorgersen" <stian at redhat.com>
>>> Cc: keycloak-dev at lists.jboss.org
>>> Sent: Monday, 8 September, 2014 3:05:47 PM
>>> Subject: Re: [keycloak-dev] screencasts all updated
>>>
>>>
>>>
>>> On 9/8/2014 8:37 AM, Stian Thorgersen wrote:
>>>>
>>>>
>>>> ----- Original Message -----
>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>> Cc: keycloak-dev at lists.jboss.org
>>>>> Sent: Monday, 8 September, 2014 2:29:59 PM
>>>>> Subject: Re: [keycloak-dev] screencasts all updated
>>>>>
>>>>>
>>>>>
>>>>> On 9/8/2014 4:00 AM, Stian Thorgersen wrote:
>>>>>>
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>>> To: keycloak-dev at lists.jboss.org
>>>>>>> Sent: Friday, 5 September, 2014 10:34:22 PM
>>>>>>> Subject: [keycloak-dev] screencasts all updated
>>>>>>>
>>>>>>> man I hate doing screencasts, but they are finally updated. It really
>>>>>>> needed to be done as they were not in sync with the current version of
>>>>>>> keycloak. I haven't linked them yet though. I'll do that when we
>>>>>>> release.
>>>>>>
>>>>>> Nice - next time I can pitch in and do a few ;)
>>>>>>
>>>>>>>
>>>>>>> One thing that drove me crazy was that I kept on getting logged out of
>>>>>>> the admin console sporadically. Gotta figure out what is going wrong
>>>>>>> here.
>>>>>>
>>>>>> Did you have multiple tabs open? We have a timer that logs you out
>>>>>> after
>>>>>> 300 seconds of inactivity. Problem is that if you have two tabs open
>>>>>> with
>>>>>> the admin console, one you're actively using and another in the
>>>>>> background, the background tab will end up logging you out after 300
>>>>>> seconds.
>>>>>>
>>>>>
>>>>> That might be it.
>>>>>
>>>>>> We can either remove this altogether (my preferred option) and let the
>>>>>> SSO
>>>>>> idle timeout deal with it, or we could make sure your only logged out
>>>>>> if
>>>>>> there's no activity to the console (can have tabs write a timestamp to
>>>>>> html5 storage periodically and check this before logging out).
>>>>>>
>>>>>
>>>>> Or just have the timer download the SSO idle timeout.
>>>>
>>>> Not sure I follow. Wouldn't that just change the timeout value, but still
>>>> leave an inactive tab able to logout all tabs?
>>>>
>>>
>>> Actually, are you sure that is it? I thought the timer was for the
>>> timeout warning, not for anything else? I'm not even seeing the warning.
>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list