[keycloak-user] Newbie question about session last access time updating.

Stian Thorgersen sthorger at redhat.com
Thu Aug 18 00:06:08 EDT 2016


What you're doing works just fine and is the only way available at the
moment at least. It will have an impact on performance, both in terms of
latency for request in your app and also additional load on the KC server.
As long as you take that into consideration you should be fine.

On 17 August 2016 at 17:30, Joe Thielen <joe at joethielen.com> wrote:

> Hello all.  I am new to both Keycloak and OpenID Connect.  Keycloak looks
> like a fantastic project and thanks to all who've put in work on it.
>
> I love that Keycloak can be set up to save events (login/logout/etc...).
> I love that there is a way to administratively log out user sessions.  All
> this is great.  My question is, what is the proper procedure to update the
> session's "Last Access" if I want it to be updated on every page request by
> a user?  In some cases I have strict application requirements where it's
> important to know exactly when the user last did something.  So I can't
> just log them in and periodically do a refresh to keep the session going.
> I want to update the session every time the user does something (i.e.,
> every page request or API request).
>
> Maybe this is overkill for most applications.  Like I said, I'm new to
> both Keycloak and OpenID Connect.  I've figured out how to do the
> authorization flow, request user info, and logout.  And I think I've
> figured out how to update the session in such a manner that it does update
> the last access time.  However, I'm not sure I'm doing it correctly...
>
> Here is an example using curl of what I've been doing to keep the last
> access time updated:
>
> curl -s --data "grant_type=refresh_token&client_id=CLIENTID&client_
> secret=CLIENTSECRET&refresh_token=REFRESHTOKEN" "
> https://HOSTNAME:8443/auth/realms/REALMNAME/protocol/openid-connect/token
>
> Am I incorrectly using the refresh token here?  In reading up on the flow,
> it seems like this should only be used periodically, like when the
> access_token expires.
>
> A positive side effect of this is that on every single request I'm
> checking to ensure the session hasn't been administratively logged out.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160818/956ac2dc/attachment.html 


More information about the keycloak-user mailing list