[keycloak-user] Newbie question about session last access time updating

Joe Thielen joe at joethielen.com
Fri Aug 19 11:23:30 EDT 2016


>
> Date: Thu, 18 Aug 2016 06:06:08 +0200
> From: Stian Thorgersen <sthorger at redhat.com>
> Subject: Re: [keycloak-user] Newbie question about session last access
>         time    updating.
> To: Joe Thielen <joe at joethielen.com>
> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> Message-ID:
>         <CAJgngAfH_JfS-YK85SCUfDkeabuJBGYPu-fEi8du1ZuPsDVz_g at mail.gmail.
> com>
> Content-Type: text/plain; charset="utf-8"
>
> What you're doing works just fine and is the only way available at the
> moment at least. It will have an impact on performance, both in terms of
> latency for request in your app and also additional load on the KC server.
> As long as you take that into consideration you should be fine.
>
> On 17 August 2016 at 17:30, Joe Thielen <joe at joethielen.com> wrote:
>
> > Hello all.  I am new to both Keycloak and OpenID Connect.  Keycloak looks
> > like a fantastic project and thanks to all who've put in work on it.
> >
> > I love that Keycloak can be set up to save events (login/logout/etc...).
> > I love that there is a way to administratively log out user sessions.
> All
> > this is great.  My question is, what is the proper procedure to update
> the
> > session's "Last Access" if I want it to be updated on every page request
> by
> > a user?  In some cases I have strict application requirements where it's
> > important to know exactly when the user last did something.  So I can't
> > just log them in and periodically do a refresh to keep the session going.
> > I want to update the session every time the user does something (i.e.,
> > every page request or API request).
> >
> > Maybe this is overkill for most applications.  Like I said, I'm new to
> > both Keycloak and OpenID Connect.  I've figured out how to do the
> > authorization flow, request user info, and logout.  And I think I've
> > figured out how to update the session in such a manner that it does
> update
> > the last access time.  However, I'm not sure I'm doing it correctly...
> >
> > Here is an example using curl of what I've been doing to keep the last
> > access time updated:
> >
> > curl -s --data "grant_type=refresh_token&client_id=CLIENTID&client_
> > secret=CLIENTSECRET&refresh_token=REFRESHTOKEN" "
> > https://HOSTNAME:8443/auth/realms/REALMNAME/protocol/
> openid-connect/token
> >
> > Am I incorrectly using the refresh token here?  In reading up on the
> flow,
> > it seems like this should only be used periodically, like when the
> > access_token expires.
> >
> > A positive side effect of this is that on every single request I'm
> > checking to ensure the session hasn't been administratively logged out.
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://lists.jboss.org/pipermail/keycloak-user/
> attachments/20160818/956ac2dc/attachment-0001.html
>

Good to know, thank you Stian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160819/790d0c8c/attachment.html 


More information about the keycloak-user mailing list