[keycloak-dev] screencasts all updated
Stian Thorgersen
stian at redhat.com
Tue Sep 9 07:48:47 EDT 2014
I've fixed the user session and removed the idle-timeout.
I also noticed that the admin console was doing 3 requests to refresh the token every time it expired. I fixed this by making sure only a single refresh request is sent concurrently, others just add to a queue waiting for the refresh token response.
----- Original Message -----
> From: "Stian Thorgersen" <stian at redhat.com>
> To: "Marek Posolda" <mposolda at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 9 September, 2014 10:03:18 AM
> Subject: Re: [keycloak-dev] screencasts all updated
>
> For now I'm changing it to update every time. At the moment we don't have
> cluster support and all user sessions are stored in-mem so this is not an
> issue.
>
> When we add cluster support we obviously need to distribute this. I think
> delaying the update would be best in those cases. Basically we only
> distribute the last refresh if it's close to expire.
>
> ----- Original Message -----
> > From: "Marek Posolda" <mposolda at redhat.com>
> > To: keycloak-dev at lists.jboss.org
> > Sent: Tuesday, 9 September, 2014 8:47:17 AM
> > Subject: Re: [keycloak-dev] screencasts all updated
> >
> > On 8.9.2014 16:04, Stian Thorgersen wrote:
> > > Think I've figured out what's going on with problem b.
> > >
> > > UserSession.LastSessionRefresh is only updated if the next access token
> > > refresh is after the timeout. The access token is also only refreshed
> > > when
> > > a request is made. With the default values being:
> > >
> > > * access token lifespan: 1 min
> > > * sso idle timeout: 5 min
> > >
> > > This means that a request has to be made between 4 min and 5 min after
> > > the
> > > last time LastSessionRefresh was updated. So you can basically browse
> > > around all you want for 4 minutes, leave it idle for 60 seconds, then
> > > when
> > > you do the next request the session will be timed out.
> > >
> > > The simple solution seems to be to update LastSessionRefresh everytime
> > > the
> > > token is refreshed. Then post-1.0.final come up with a better scheme to
> > > reduce the amount of writes to UserSession.LastSessionRefresh
> > I wonder if solution could be something simple like:
> >
> > long minAllowedInterval = min(5 minutes, (sso idle timeout - access
> > token lifespan) / 2);
> > if (System.currentTimeMillis() - lastSessionRefresh < minAllowedInterval) {
> > updateLastSessionRefresh();
> > }
> >
> > This will mean that if timeouts are low like:
> >
> > * access token lifespan: 1 min
> > * sso idle timeout: 5 min
> >
> > then it will update lastSessionRefresh in every token refresh. On the
> > other hand with bigger values like:
> >
> > * access token lifespan: 1 min
> > * sso idle timeout: 60 min
> >
> > it will update lastSessionRefresh just if last refresh was older than
> > around 30 minutes (exactly 30,5 minutes).
> >
> > This might be good compromise between flexibility and easiness. The
> > easiest approach might be to always update refresh or use some hardcoded
> > minAllowedInterval (like 10 minutes). The most flexible approach might
> > be to add another configuration option for configuring
> > minAllowedInterval, but I am not sure if it's needed (too much
> > configuration options for various timeouts might be confusing for people
> > imo).
> >
> > Marek
> > >
> > > ----- Original Message -----
> > >> From: "Stian Thorgersen" <stian at redhat.com>
> > >> To: "Bill Burke" <bburke at redhat.com>
> > >> Cc: keycloak-dev at lists.jboss.org
> > >> Sent: Monday, 8 September, 2014 3:30:29 PM
> > >> Subject: Re: [keycloak-dev] screencasts all updated
> > >>
> > >> Actually it seems we have two problems:
> > >>
> > >> a) idletimeout plugin - this causes the logout if you have multiple tabs
> > >> open. With the SSO idle timeout feature this is not needed, so we should
> > >> just remove it to fix this issue
> > >>
> > >> b) issue with sso idle timeout - I tried setting the SSO idle timeout to
> > >> a
> > >> low number (30 seconds), with access token lifespan lower (5 seconds)
> > >> and
> > >> was continuously browsing. After 1 min or two I was logged out, even
> > >> though
> > >> I was continuously doing requests (and network log shows it was doing
> > >> refreshing the token)
> > >>
> > >> ----- Original Message -----
> > >>> From: "Bill Burke" <bburke at redhat.com>
> > >>> To: "Stian Thorgersen" <stian at redhat.com>
> > >>> Cc: keycloak-dev at lists.jboss.org
> > >>> Sent: Monday, 8 September, 2014 3:05:47 PM
> > >>> Subject: Re: [keycloak-dev] screencasts all updated
> > >>>
> > >>>
> > >>>
> > >>> On 9/8/2014 8:37 AM, Stian Thorgersen wrote:
> > >>>>
> > >>>> ----- Original Message -----
> > >>>>> From: "Bill Burke" <bburke at redhat.com>
> > >>>>> To: "Stian Thorgersen" <stian at redhat.com>
> > >>>>> Cc: keycloak-dev at lists.jboss.org
> > >>>>> Sent: Monday, 8 September, 2014 2:29:59 PM
> > >>>>> Subject: Re: [keycloak-dev] screencasts all updated
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> On 9/8/2014 4:00 AM, Stian Thorgersen wrote:
> > >>>>>>
> > >>>>>> ----- Original Message -----
> > >>>>>>> From: "Bill Burke" <bburke at redhat.com>
> > >>>>>>> To: keycloak-dev at lists.jboss.org
> > >>>>>>> Sent: Friday, 5 September, 2014 10:34:22 PM
> > >>>>>>> Subject: [keycloak-dev] screencasts all updated
> > >>>>>>>
> > >>>>>>> man I hate doing screencasts, but they are finally updated. It
> > >>>>>>> really
> > >>>>>>> needed to be done as they were not in sync with the current version
> > >>>>>>> of
> > >>>>>>> keycloak. I haven't linked them yet though. I'll do that when we
> > >>>>>>> release.
> > >>>>>> Nice - next time I can pitch in and do a few ;)
> > >>>>>>
> > >>>>>>> One thing that drove me crazy was that I kept on getting logged out
> > >>>>>>> of
> > >>>>>>> the admin console sporadically. Gotta figure out what is going
> > >>>>>>> wrong
> > >>>>>>> here.
> > >>>>>> Did you have multiple tabs open? We have a timer that logs you out
> > >>>>>> after
> > >>>>>> 300 seconds of inactivity. Problem is that if you have two tabs open
> > >>>>>> with
> > >>>>>> the admin console, one you're actively using and another in the
> > >>>>>> background, the background tab will end up logging you out after 300
> > >>>>>> seconds.
> > >>>>>>
> > >>>>> That might be it.
> > >>>>>
> > >>>>>> We can either remove this altogether (my preferred option) and let
> > >>>>>> the
> > >>>>>> SSO
> > >>>>>> idle timeout deal with it, or we could make sure your only logged
> > >>>>>> out
> > >>>>>> if
> > >>>>>> there's no activity to the console (can have tabs write a timestamp
> > >>>>>> to
> > >>>>>> html5 storage periodically and check this before logging out).
> > >>>>>>
> > >>>>> Or just have the timer download the SSO idle timeout.
> > >>>> Not sure I follow. Wouldn't that just change the timeout value, but
> > >>>> still
> > >>>> leave an inactive tab able to logout all tabs?
> > >>>>
> > >>> Actually, are you sure that is it? I thought the timer was for the
> > >>> timeout warning, not for anything else? I'm not even seeing the
> > >>> warning.
> > >>>
> > >>>
> > >>> --
> > >>> Bill Burke
> > >>> JBoss, a division of Red Hat
> > >>> http://bill.burkecentral.com
> > >>>
> > >> _______________________________________________
> > >> keycloak-dev mailing list
> > >> keycloak-dev at lists.jboss.org
> > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> > >>
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list