[keycloak-user] How to update a 'remember me' session?

Fri Jan 4 07:06:41 EST 2019

Hi Stian,

Thanks for your reply. It is already spawning some now thoughts. I will try to explain the underlying problem a bit more.

Unfortunately, this is a single page web app, which additionally is mostly ‘watched’ or simply ‘looked at’ most of the time (can be hours). Of course the idle timeouts (still defaults) could be increased, but somehow it felt strange putting the idle time to something like a day or two (or more). Additionally, the web app opens a websocket to the backend (standard Javascript web socket). Opening the websocket works fine as long as the tokens are valid, however, once the tokens are invalid opening the websocket fails due to security (which in itself is good!). Finally, the web app runs on mobile devices. Switching the app context (in particular on IOS) for even a second triggers a reload of the application (bad enough), but also triggers re-authentication, which without the ‘remember me’ functionality always goes past the login page.

What a user expects: as long as the web app is running the login page should not be shown; if a network problem occurs (they are running around with their mobile devices) the app has to recover (i.e. re-establish the websocket without the login page); if a user quickly changes the app context the app should basically continue (at least without the login page).

One possible solution I think: increase the idle timeouts for the sessions (normal and remember me) to some very high value (days; which we have tried to avoid so far).

Initially, we tried to use the Keycloak gatekeeper’s ‘enable-refresh-tokens’ feature to get the token and refresh token updated on the fly with each request (that is our understanding of this feature), however, it did not work. Tokens were never updated (maybe we were doing something wrong or there is a bug; this is another open issue on our side to be followed up). To avoid increasing the idle times to something very long, we are for moment periodically using the updateToken method to explicitly update the tokens, but even then, funny as it is, we have to rewrite the kc-access and kc-state cookies (used by the keycloak gatekeeper) ourselves (not nice as well). Anyhow, in the same way as we found means to programmatically extend the ‘lifetime’ of the token/updateToken we were thinking on how to programmatically extend the lifetime of the remember me session.

Thanks  & Regards,
Alex

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: 04 January 2019 11:55
To: Alex Chatziparaskewas <alex.chatziparaskewas at trapezegroup.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to update a 'remember me' session?

I wouldn't recommend on having a background keep alive using the update token. Rather, just rely on the user performing actions to keep the session alive and configure the SSO idle timeout accordingly to your needs.

With regards to remember me I don't understand your question as there is no difference here. Remember me only sets a persisted cookie so session survives a browser restart as well as recently we've introduce options to have different SSO idle and max for remember me sessions.

On Fri, 4 Jan 2019 at 07:24, Alex Chatziparaskewas <alex.chatziparaskewas at trapezegroup.com<mailto:alex.chatziparaskewas at trapezegroup.com>> wrote:
Hi All,

We are using the keycloak javascript adapter. In the same way as the token and refresh token can be updated gracefully in the background using its updateToken method, is there any means by which the same can be done to a 'remember me' session?

Thanks & Regards,
Alex

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user