[keycloak-dev] screencasts all updated
Stian Thorgersen
stian at redhat.com
Mon Sep 8 11:06:49 EDT 2014
Yep
I'll remove the idle-timeout plugin and also change the LastSessionRefresh to be updated on each refresh. I'll also create a jira issue for 1.1 to figure out some way to reduce amount of updates to LastSessionRefresh.
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Monday, 8 September, 2014 4:10:01 PM
> Subject: Re: [keycloak-dev] screencasts all updated
>
> Ah, so the keycloak.js token refresh isn't based on a timer then. It is
> checked/refreshed on demand.
>
> On 9/8/2014 10:04 AM, Stian Thorgersen wrote:
> > Think I've figured out what's going on with problem b.
> >
> > UserSession.LastSessionRefresh is only updated if the next access token
> > refresh is after the timeout. The access token is also only refreshed when
> > a request is made. With the default values being:
> >
> > * access token lifespan: 1 min
> > * sso idle timeout: 5 min
> >
> > This means that a request has to be made between 4 min and 5 min after the
> > last time LastSessionRefresh was updated. So you can basically browse
> > around all you want for 4 minutes, leave it idle for 60 seconds, then when
> > you do the next request the session will be timed out.
> >
> > The simple solution seems to be to update LastSessionRefresh everytime the
> > token is refreshed. Then post-1.0.final come up with a better scheme to
> > reduce the amount of writes to UserSession.LastSessionRefresh
> >
> > ----- Original Message -----
> >> From: "Stian Thorgersen" <stian at redhat.com>
> >> To: "Bill Burke" <bburke at redhat.com>
> >> Cc: keycloak-dev at lists.jboss.org
> >> Sent: Monday, 8 September, 2014 3:30:29 PM
> >> Subject: Re: [keycloak-dev] screencasts all updated
> >>
> >> Actually it seems we have two problems:
> >>
> >> a) idletimeout plugin - this causes the logout if you have multiple tabs
> >> open. With the SSO idle timeout feature this is not needed, so we should
> >> just remove it to fix this issue
> >>
> >> b) issue with sso idle timeout - I tried setting the SSO idle timeout to a
> >> low number (30 seconds), with access token lifespan lower (5 seconds) and
> >> was continuously browsing. After 1 min or two I was logged out, even
> >> though
> >> I was continuously doing requests (and network log shows it was doing
> >> refreshing the token)
> >>
> >> ----- Original Message -----
> >>> From: "Bill Burke" <bburke at redhat.com>
> >>> To: "Stian Thorgersen" <stian at redhat.com>
> >>> Cc: keycloak-dev at lists.jboss.org
> >>> Sent: Monday, 8 September, 2014 3:05:47 PM
> >>> Subject: Re: [keycloak-dev] screencasts all updated
> >>>
> >>>
> >>>
> >>> On 9/8/2014 8:37 AM, Stian Thorgersen wrote:
> >>>>
> >>>>
> >>>> ----- Original Message -----
> >>>>> From: "Bill Burke" <bburke at redhat.com>
> >>>>> To: "Stian Thorgersen" <stian at redhat.com>
> >>>>> Cc: keycloak-dev at lists.jboss.org
> >>>>> Sent: Monday, 8 September, 2014 2:29:59 PM
> >>>>> Subject: Re: [keycloak-dev] screencasts all updated
> >>>>>
> >>>>>
> >>>>>
> >>>>> On 9/8/2014 4:00 AM, Stian Thorgersen wrote:
> >>>>>>
> >>>>>>
> >>>>>> ----- Original Message -----
> >>>>>>> From: "Bill Burke" <bburke at redhat.com>
> >>>>>>> To: keycloak-dev at lists.jboss.org
> >>>>>>> Sent: Friday, 5 September, 2014 10:34:22 PM
> >>>>>>> Subject: [keycloak-dev] screencasts all updated
> >>>>>>>
> >>>>>>> man I hate doing screencasts, but they are finally updated. It
> >>>>>>> really
> >>>>>>> needed to be done as they were not in sync with the current version
> >>>>>>> of
> >>>>>>> keycloak. I haven't linked them yet though. I'll do that when we
> >>>>>>> release.
> >>>>>>
> >>>>>> Nice - next time I can pitch in and do a few ;)
> >>>>>>
> >>>>>>>
> >>>>>>> One thing that drove me crazy was that I kept on getting logged out
> >>>>>>> of
> >>>>>>> the admin console sporadically. Gotta figure out what is going wrong
> >>>>>>> here.
> >>>>>>
> >>>>>> Did you have multiple tabs open? We have a timer that logs you out
> >>>>>> after
> >>>>>> 300 seconds of inactivity. Problem is that if you have two tabs open
> >>>>>> with
> >>>>>> the admin console, one you're actively using and another in the
> >>>>>> background, the background tab will end up logging you out after 300
> >>>>>> seconds.
> >>>>>>
> >>>>>
> >>>>> That might be it.
> >>>>>
> >>>>>> We can either remove this altogether (my preferred option) and let the
> >>>>>> SSO
> >>>>>> idle timeout deal with it, or we could make sure your only logged out
> >>>>>> if
> >>>>>> there's no activity to the console (can have tabs write a timestamp to
> >>>>>> html5 storage periodically and check this before logging out).
> >>>>>>
> >>>>>
> >>>>> Or just have the timer download the SSO idle timeout.
> >>>>
> >>>> Not sure I follow. Wouldn't that just change the timeout value, but
> >>>> still
> >>>> leave an inactive tab able to logout all tabs?
> >>>>
> >>>
> >>> Actually, are you sure that is it? I thought the timer was for the
> >>> timeout warning, not for anything else? I'm not even seeing the warning.
> >>>
> >>>
> >>> --
> >>> Bill Burke
> >>> JBoss, a division of Red Hat
> >>> http://bill.burkecentral.com
> >>>
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
More information about the keycloak-dev
mailing list