[keycloak-dev] Override Refresh token lifespan per client

田畑義之 / TABATA,YOSHIYUKI yoshiyuki.tabata.jy at hitachi.com
Fri Sep 20 02:39:01 EDT 2019


Hello,

In cloud-native application systems, there are various client applications and those applications are not the same level (i.e. security level, alliance level, development level). And generally, a realm manager or a resource server manager wants to set a different timeout to tokens (access token/refresh token) per client. For example, for a client which wants to minimize authentication considering usability, we set the timeout of a refresh token longer enough. For a client which wants to refresh tokens periodically to mitigate the token interception attack, we set the timeout of a refresh token according to the client requirement.

Currently, the timeout of an access token can be overridden per client. However, the timeout of a refresh token (including offline token) cannot be overridden per client.

We'd like to be able to override the timeout of a refresh token (including offline token) per client.

We'd already tried to implement this just like access token lifespan overriding, and create JIRA ticket and PR, but Stian recommended that we should discuss this use case and how to implement in ML, so I opened this thread.

For single sign-on purpose, it is useful to share sessions among clients in a realm.
However, when we implement this, sessions are no longer shared among clients depending on the settings. And this is useful for API management purpose because, for API management purpose, tokens (= sessions) are associated with each client, and should be managed per client.

What do you think about this feature? I would be very happy if you community gives any kind of comment on that.

JIRA ticket is the following.
https://issues.jboss.org/browse/KEYCLOAK-10907

PR is the following.
https://github.com/keycloak/keycloak/pull/6309

Regards,
Yoshiyuki Tabata
Hitachi, Ltd.




More information about the keycloak-dev mailing list