[keycloak-user] Best practices for combining web and mobile usage in one realm
amaeztu at tesicnor.com
Tue Nov 15 12:06:06 EST 2016
I'm using keycloak 2.2.1 to secure my application. The application can
be accessed both via web and mobile (Android app). Both of them use the
authorization code flow, which I believe it's the ideal form of
authentication for my case.
The topic I want to clarify here is token lifespans. As far as I
understand, the SSO session idle timeout determines how long can a token
last without being refreshed. On the other hand, SSO session max
determines how long can a token last, even if it's being refreshed once
and again. Well, now couple of questions:
1. Is there a way to make the web session limited to, let's say, 30
minutes and to have a long lived refresh token for the app?
2. How to deal with the refresh token in the app? What I do right now is
to launch a webview when application starts and store the access and
refresh tokens in user preferences (which is secured in Android). I wrap
each http request made from the app and add the access token, unless it
has expired, then I request a new access token with the refresh token.
But when should I check the validity for the refresh token itself? I
don't want a chain of requests being interrupted because of the refresh
token being expired!
Thanks in advanced for your help!
Aritz Maeztu Otaño
Departamento Desarrollo de Software
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
More information about the keycloak-user