[keycloak-user] Best practices for combining web and mobile usage in one realm
glavoie at gmail.com
Thu Nov 17 08:10:28 EST 2016
as Iván mentioned, you should have a look at offline refresh tokens
(requested by using the scope=offline_access query parameter in your
authorization code flow initial request).
An offline token has a different semantic and timeout. From what I've
tested "SSO Session Idle" and "SSO Session Max" don't apply to them, only
"Offline Session Idle". Offline Session Idle is the maximum delay between
last refresh and session expiry. Let say your Offline Session Idle is 30
days and you refresh your token after 15 days, this will reset the offline
session timeout again. You can basically have an infinite session if the
user uses frequently the token.
2016-11-16 4:52 GMT-05:00 Iván Perdomo <ivan at akvo.org>:
> Found the location of the "Offline Access" section:
> On 11/16/2016 09:55 AM, Iván Perdomo wrote:
> > Hi,
> > I think you should look at offline tokens, introduced in Keycloak 1.6.1
> >  http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html
> > On 11/15/2016 06:06 PM, Aritz Maeztu wrote:
> >> Hi all,
> >> I'm using keycloak 2.2.1 to secure my application. The application can
> >> be accessed both via web and mobile (Android app). Both of them use the
> >> authorization code flow, which I believe it's the ideal form of
> >> authentication for my case.
> >> The topic I want to clarify here is token lifespans. As far as I
> >> understand, the SSO session idle timeout determines how long can a token
> >> last without being refreshed. On the other hand, SSO session max
> >> determines how long can a token last, even if it's being refreshed once
> >> and again. Well, now couple of questions:
> >> 1. Is there a way to make the web session limited to, let's say, 30
> >> minutes and to have a long lived refresh token for the app?
> >> 2. How to deal with the refresh token in the app? What I do right now is
> >> to launch a webview when application starts and store the access and
> >> refresh tokens in user preferences (which is secured in Android). I wrap
> >> each http request made from the app and add the access token, unless it
> >> has expired, then I request a new access token with the refresh token.
> >> But when should I check the validity for the refresh token itself? I
> >> don't want a chain of requests being interrupted because of the refresh
> >> token being expired!
> >> Thanks in advanced for your help!
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
glavoie at gmail.com
More information about the keycloak-user