[keycloak-user] Session timeouts for SPA + bearer backend
Stian Thorgersen
sthorger at redhat.com
Fri Dec 2 01:13:33 EST 2016
Sounds like your access token is expired. You need to refresh it. See the
docs for the JavaScript adapter and examples, specifically updateToken
function.
On 28 November 2016 at 10:33, Andy Yar <andyyar66 at gmail.com> wrote:
> Hello,
> I'm having a problem with my SPA Anuglar based application.
>
> TD;DR
>
> The app's session seems to be valid (cookies) although requests to backend
> fail since its token has expired - openid-connect/token = HTTP 400
> (Refreshing token: token expired).
>
> =========================
>
> The app itself is protected with keycloak.js (Access Type: public +
> Standard Flow: ON + login_required) and the backend is built with Spring
> Security adapter (Access Type: bearer-only).
>
> Everything works fine until I leave the app idle for some time and then
> resume using it (requesting from backend). When I do so, the backend starts
> to respond with an eror as its session had timed out - openid-connect/token
> returns 400. Although, obviously, the session for the app itself hadn't
> expired yet.
>
> As far as I know, there is for instance a KEYCLOAK_SESSION cookie which is
> checked periodically by keycloak.js. When I remove the cookie manually, it
> gets checked and the app gets redirected to its login screen.
>
> KC version used is 2.2.1.Final. My realm token settings:
> * Revoke Refresh Token: OFF
> * SSO Session Idle: 30mins
> * SSO Session Max: 6days
> * Offline Session Idle: 30days
> * Access Token Lifespan: 15mins
> * ditto for Implicit Flow: 18mins
>
> How should I set my app/token settings up to solve this? Should I just
> force my client to relog as soon as Refreshing token: token expired? Don't
> know what is the proper way to handle this...
>
> Thanks in advance.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list