[keycloak-dev] Session duration for clients
Stian Thorgersen
sthorger at redhat.com
Fri Nov 8 04:08:56 EST 2019
Today we have SSO session max and idle, but there is no way to control
duration for individual clients.
One side-effect of this is that if the SSO session max is very large all
refresh tokens will have a long expiration time.
It is also related to max_age parameter. As tokens have a long expiration
the only way to control it is the client has to manually check auth_time in
the tokens.
One idea is that we could introduce a Client Session Max and Idle. The
realm would allow setting a default value, but it would also be possible to
override on a per-client basis. If not set for realm or client it would
fallback to SSO Session Max/Idle
For Client Session Max implementation should be pretty straight forward.
When issuing tokens we make sure the expiration is set according to the
Clients Session Max.
For Client Session Idle implementation should also be pretty straight
forward. Tokens would only be valid if within Client Session Idle. As long
as clients refresh tokens they will get newly issued tokens that would be
within the Client Session Idle, up until they reach Client Session Max when
the refresh token would no longer be valid and the client would need to do
a new authentication request to obtain new tokens.
We should also add default_max_age to clients, which would make it possible
to easily configure re-authentication for specific clients.
More information about the keycloak-dev
mailing list