[keycloak-dev] Session duration for clients

田畑義之 / TABATA,YOSHIYUKI yoshiyuki.tabata.jy at hitachi.com
Mon Nov 11 22:24:39 EST 2019 

Hi,

I agree with this idea.
This idea will achieve our use case described in the thread [1].
Do you have any plans to implement this?

[1] https://lists.jboss.org/pipermail/keycloak-dev/2019-September/012530.html

Regards,
Yoshiyuki Tabata
Hitachi, Ltd.

-----Original Message-----
From: keycloak-dev-bounces at lists.jboss.org <keycloak-dev-bounces at lists.jboss.org> On Behalf Of Stian Thorgersen
Sent: Friday, November 08, 2019 6:09 PM
To: keycloak-dev <keycloak-dev at lists.jboss.org>
Subject: [!][keycloak-dev] Session duration for clients

Today we have SSO session max and idle, but there is no way to control
duration for individual clients.

One side-effect of this is that if the SSO session max is very large all
refresh tokens will have a long expiration time.

It is also related to max_age parameter. As tokens have a long expiration
the only way to control it is the client has to manually check auth_time in
the tokens.

One idea is that we could introduce a Client Session Max and Idle. The
realm would allow setting a default value, but it would also be possible to
override on a per-client basis. If not set for realm or client it would
fallback to SSO Session Max/Idle

For Client Session Max implementation should be pretty straight forward.
When issuing tokens we make sure the expiration is set according to the
Clients Session Max.

For Client Session Idle implementation should also be pretty straight
forward. Tokens would only be valid if within Client Session Idle. As long
as clients refresh tokens they will get newly issued tokens that would be
within the Client Session Idle, up until they reach Client Session Max when
the refresh token would no longer be valid and the client would need to do
a new authentication request to obtain new tokens.

We should also add default_max_age to clients, which would make it possible
to easily configure re-authentication for specific clients.
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://clicktime.symantec.com/35pw2iShL84hrZog1HQKXcD7Vc?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev

More information about the keycloak-dev mailing list