[keycloak-user] SSO Session Idle Timeout for Direct
Schneider, John DODGE CONSULTING SERVICES, LLC
John.Schneider at carrier.utc.com
Fri Aug 22 09:52:47 EDT 2014
My application is checking the access token timeout and refreshing it if expired. The thing is, the tokens are being invalidated after the SSO session timeout. So if I have the access token timeout set to 4 hours, and the SSO timeout set to 15 minutes, the access token and refresh tokens are both invalidated after only 15 minutes.
Date: Thu, 21 Aug 2014 17:34:16 -0400
From: Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>>
Subject: Re: [keycloak-user] SSO Session Idle Timeout for Direct
Grants
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Message-ID: <53F665D8.9000303 at redhat.com<mailto:53F665D8.9000303 at redhat.com>>
Content-Type: text/plain; charset=windows-1252; format=flowed
I don't agree...
Your application should be checking for token timeouts and performing a
refresh. The response from direct-grant gives you a refresh token as
well as an access token as well as a timeout (which you could check from
the access token).
Since you have a refresh token, you can refresh the access token. You
still want the same setup: Short access token lifespan
(seconds/minutes) with a longer refresh timeout minutes/hours. This is
for revocation checks, permission changes, etc.
I could set up a different SSO timeout/access token timeout for grant
requests if you want, but that would have to be after 1.0.final.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20140822/e815d87d/attachment.html
More information about the keycloak-user
mailing list