[keycloak-dev] Session duration for clients

Stian Thorgersen sthorger at redhat.com
Mon Nov 18 07:50:40 EST 2019 

I believe this is an important thing to add to Keycloak, but the Keycloak
team will not have the capacity to do it until some point next year.
Hopefully early next year.

On Tue, 12 Nov 2019 at 04:24, 田畑義之 / TABATA,YOSHIYUKI <
yoshiyuki.tabata.jy at hitachi.com> wrote:

> Hi,
>
> I agree with this idea.
> This idea will achieve our use case described in the thread [1].
> Do you have any plans to implement this?
>
> [1]
> https://lists.jboss.org/pipermail/keycloak-dev/2019-September/012530.html
>
> Regards,
> Yoshiyuki Tabata
> Hitachi, Ltd.
>
> -----Original Message-----
> From: keycloak-dev-bounces at lists.jboss.org <
> keycloak-dev-bounces at lists.jboss.org> On Behalf Of Stian Thorgersen
> Sent: Friday, November 08, 2019 6:09 PM
> To: keycloak-dev <keycloak-dev at lists.jboss.org>
> Subject: [!][keycloak-dev] Session duration for clients
>
> Today we have SSO session max and idle, but there is no way to control
> duration for individual clients.
>
> One side-effect of this is that if the SSO session max is very large all
> refresh tokens will have a long expiration time.
>
> It is also related to max_age parameter. As tokens have a long expiration
> the only way to control it is the client has to manually check auth_time in
> the tokens.
>
> One idea is that we could introduce a Client Session Max and Idle. The
> realm would allow setting a default value, but it would also be possible to
> override on a per-client basis. If not set for realm or client it would
> fallback to SSO Session Max/Idle
>
> For Client Session Max implementation should be pretty straight forward.
> When issuing tokens we make sure the expiration is set according to the
> Clients Session Max.
>
> For Client Session Idle implementation should also be pretty straight
> forward. Tokens would only be valid if within Client Session Idle. As long
> as clients refresh tokens they will get newly issued tokens that would be
> within the Client Session Idle, up until they reach Client Session Max when
> the refresh token would no longer be valid and the client would need to do
> a new authentication request to obtain new tokens.
>
> We should also add default_max_age to clients, which would make it possible
> to easily configure re-authentication for specific clients.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
>
> https://clicktime.symantec.com/35pw2iShL84hrZog1HQKXcD7Vc?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev
>
>

More information about the keycloak-dev mailing list