[keycloak-dev] screencasts all updated

Marek Posolda mposolda at redhat.com
Tue Sep 9 02:47:17 EDT 2014 

On 8.9.2014 16:04, Stian Thorgersen wrote:
> Think I've figured out what's going on with problem b.
>
> UserSession.LastSessionRefresh is only updated if the next access token refresh is after the timeout. The access token is also only refreshed when a request is made. With the default values being:
>
> * access token lifespan: 1 min
> * sso idle timeout: 5 min
>
> This means that a request has to be made between 4 min and 5 min after the last time LastSessionRefresh was updated. So you can basically browse around all you want for 4 minutes, leave it idle for 60 seconds, then when you do the next request the session will be timed out.
>
> The simple solution seems to be to update LastSessionRefresh everytime the token is refreshed. Then post-1.0.final come up with a better scheme to reduce the amount of writes to UserSession.LastSessionRefresh
I wonder if solution could be something simple like:

long minAllowedInterval = min(5 minutes, (sso idle timeout - access 
token lifespan) / 2);
if (System.currentTimeMillis() - lastSessionRefresh < minAllowedInterval) {
   updateLastSessionRefresh();
}

This will mean that if timeouts are low like:

* access token lifespan: 1 min
* sso idle timeout: 5 min

then it will update lastSessionRefresh in every token refresh. On the 
other hand with bigger values like:

* access token lifespan: 1 min
* sso idle timeout: 60 min

it will update lastSessionRefresh just if last refresh was older than 
around 30 minutes (exactly 30,5 minutes).

This might be good compromise between flexibility and easiness. The 
easiest approach might be to always update refresh or use some hardcoded 
minAllowedInterval (like 10 minutes). The most flexible approach might 
be to add another configuration option for configuring 
minAllowedInterval, but I am not sure if it's needed (too much 
configuration options for various timeouts might be confusing for people 
imo).

Marek
>
> ----- Original Message -----
>> From: "Stian Thorgersen" <stian at redhat.com>
>> To: "Bill Burke" <bburke at redhat.com>
>> Cc: keycloak-dev at lists.jboss.org
>> Sent: Monday, 8 September, 2014 3:30:29 PM
>> Subject: Re: [keycloak-dev] screencasts all updated
>>
>> Actually it seems we have two problems:
>>
>> a) idletimeout plugin - this causes the logout if you have multiple tabs
>> open. With the SSO idle timeout feature this is not needed, so we should
>> just remove it to fix this issue
>>
>> b) issue with sso idle timeout - I tried setting the SSO idle timeout to a
>> low number (30 seconds), with access token lifespan lower (5 seconds) and
>> was continuously browsing. After 1 min or two I was logged out, even though
>> I was continuously doing requests (and network log shows it was doing
>> refreshing the token)
>>
>> ----- Original Message -----
>>> From: "Bill Burke" <bburke at redhat.com>
>>> To: "Stian Thorgersen" <stian at redhat.com>
>>> Cc: keycloak-dev at lists.jboss.org
>>> Sent: Monday, 8 September, 2014 3:05:47 PM
>>> Subject: Re: [keycloak-dev] screencasts all updated
>>>
>>>
>>>
>>> On 9/8/2014 8:37 AM, Stian Thorgersen wrote:
>>>>
>>>> ----- Original Message -----
>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>> To: "Stian Thorgersen" <stian at redhat.com>
>>>>> Cc: keycloak-dev at lists.jboss.org
>>>>> Sent: Monday, 8 September, 2014 2:29:59 PM
>>>>> Subject: Re: [keycloak-dev] screencasts all updated
>>>>>
>>>>>
>>>>>
>>>>> On 9/8/2014 4:00 AM, Stian Thorgersen wrote:
>>>>>>
>>>>>> ----- Original Message -----
>>>>>>> From: "Bill Burke" <bburke at redhat.com>
>>>>>>> To: keycloak-dev at lists.jboss.org
>>>>>>> Sent: Friday, 5 September, 2014 10:34:22 PM
>>>>>>> Subject: [keycloak-dev] screencasts all updated
>>>>>>>
>>>>>>> man I hate doing screencasts, but they are finally updated.  It really
>>>>>>> needed to be done as they were not in sync with the current version of
>>>>>>> keycloak.  I haven't linked them yet though.  I'll do that when we
>>>>>>> release.
>>>>>> Nice - next time I can pitch in and do a few ;)
>>>>>>
>>>>>>> One thing that drove me crazy was that I kept on getting logged out of
>>>>>>> the admin console sporadically.  Gotta figure out what is going wrong
>>>>>>> here.
>>>>>> Did you have multiple tabs open? We have a timer that logs you out
>>>>>> after
>>>>>> 300 seconds of inactivity. Problem is that if you have two tabs open
>>>>>> with
>>>>>> the admin console, one you're actively using and another in the
>>>>>> background, the background tab will end up logging you out after 300
>>>>>> seconds.
>>>>>>
>>>>> That might be it.
>>>>>
>>>>>> We can either remove this altogether (my preferred option) and let the
>>>>>> SSO
>>>>>> idle timeout deal with it, or we could make sure your only logged out
>>>>>> if
>>>>>> there's no activity to the console (can have tabs write a timestamp to
>>>>>> html5 storage periodically and check this before logging out).
>>>>>>
>>>>> Or just have the timer download the SSO idle timeout.
>>>> Not sure I follow. Wouldn't that just change the timeout value, but still
>>>> leave an inactive tab able to logout all tabs?
>>>>
>>> Actually, are you sure that is it?  I thought the timer was for the
>>> timeout warning, not for anything else?  I'm not even seeing the warning.
>>>
>>>
>>> --
>>> Bill Burke
>>> JBoss, a division of Red Hat
>>> http://bill.burkecentral.com
>>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list