[keycloak-user] session inactivity; ignoring auto refresh requests
sheishere b
sheishere48 at gmail.com
Thu Sep 15 02:44:29 EDT 2016
Thanks for your input
On Thu, Sep 8, 2016 at 12:08 PM, Stian Thorgersen <sthorger at redhat.com>
wrote:
> As long as the token is refreshed Keycloak sees it as an active user.
> Simplest option would be to make your app stop doing the background
> requests after a while, which would result in in the session timing out. It
> could also trigger a logout of the user from the application itself.
> Alternatively we could potentially do something like having adding a
> proprietary option to the refresh request to prevent it being seen as "user
> activity", but I'm less keen on that since it'd be non-standard OIDC.
>
> On 7 September 2016 at 12:41, sheishere b <sheishere48 at gmail.com> wrote:
>
>> We have node js integrated with keycloak & keycloak is running as a
>> service in jboss.
>> There are many http requests being sent from browser to server in the
>> background as part of auto refresh of some tables.
>> So if user has opened browser & remains inactive; in the background many
>> requests are made. Keycloak will never detect inactivity & hence session
>> will never be invalidated after session inactivity timeout.
>> Is there a way in keycloak to ignore such background requests from being
>> considered for session alive scenarios?
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160915/262bfb57/attachment.html
More information about the keycloak-user
mailing list