[keycloak-user] Session timeouts for SPA + bearer backend

Andy Yar andyyar66 at gmail.com
Mon Nov 28 04:33:04 EST 2016

I'm having a problem with my SPA Anuglar based application.


The app's session seems to be valid (cookies) although requests to backend
fail since its token has expired - openid-connect/token = HTTP 400
(Refreshing token: token expired).


The app itself is protected with keycloak.js (Access Type: public +
Standard Flow: ON + login_required) and the backend is built with Spring
Security adapter (Access Type: bearer-only).

Everything works fine until I leave the app idle for some time and then
resume using it (requesting from backend). When I do so, the backend starts
to respond with an eror as its session had timed out - openid-connect/token
returns 400. Although, obviously, the session for the app itself hadn't
expired yet.

As far as I know, there is for instance a KEYCLOAK_SESSION cookie which is
checked periodically by keycloak.js. When I remove the cookie manually, it
gets checked and the app gets redirected to its login screen.

KC version used is 2.2.1.Final. My realm token settings:
* Revoke Refresh Token: OFF
* SSO Session Idle: 30mins
* SSO Session Max: 6days
* Offline Session Idle: 30days
* Access Token Lifespan: 15mins
* ditto for Implicit Flow: 18mins

How should I set my app/token settings up to solve this? Should I just
force my client to relog as soon as Refreshing token: token expired? Don't
know what is the proper way to handle this...

Thanks in advance.

More information about the keycloak-user mailing list