[keycloak-dev] Remove seconds for token timeouts

Marek Posolda mposolda at redhat.com
Mon Jan 25 03:54:40 EST 2016


Not sure about that. IMO seconds are good to have more fine grained 
timeout values. For example in some deployment the "Access token 
timeout" value 1 minute might be too short, but 2 minutes are too long, 
so they prefer to use 90 seconds as compromise.

Also seconds are good for development. For example, I am sometimes using 
seconds for testing (IE. setting timeout to 10 seconds to quickly 
enforce refresh etc)

Skip seconds to address KEYCLOAK-1341 looks to me like workaround rather 
than real solution. The question is if we should address KEYCLOAK-1341 
at all? There are probably many possibilities how can admin breaks the 
login to admin console itself or break the keycloak entirely. Few 
examples, which come to my mind (there are likely much more):
- Delete or disable security-admin-console client
- delete or disable himself
- remove roles from himself
- remove scopes from security-admin-console client
- configure authentication flow in some way that it's not possible login 
anymore
- Timeouts

I don't think that we should try to prevent all of these situations. I 
didn't see any real support questions related to this. And for example 
in linux if you do "rm -rf /home" the system is broken as well. Isn't 
this kind of similar? IMO admins should do backup of database, so they 
can revert if they accidentally mis-configure things.

Marek

On 21/01/16 20:45, Stian Thorgersen wrote:
> Do we need to have seconds at all for token timeouts? Removing seconds 
> from token would make it simpler, but also make sure no one sets 
> timeouts that are to short (see 
> https://issues.jboss.org/browse/KEYCLOAK-1341)
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160125/c695fd7b/attachment.html 


More information about the keycloak-dev mailing list