[keycloak-user] Need help related to SSO session idle and SSO session idle max

[Jan Lieskovsky]

Hello Khyati,

On Mon, Jun 17, 2019 at 11:01 PM Khyati Kataria <katariakhyati11 at gmail.com>
wrote:

> Hi,
>
> I have one doubt related to these two fields: SSO session idle and SSO
> session idle max in keycloak token settings
>
> In our case it is been 30 minutes set as session idle , so webpage
> should get logout within 30 minutes. But we can observe it is not
> logging out after described time. We have also tried by setting to 2-3
> minutes, but it’s not happening.
>

Please have a look at the note in the "*13.3. Session and Token Timeouts*"
<https://www.keycloak.org/docs/latest/server_admin/index.html#_timeouts>
section
(below that table describing meaning of those options).

Per that note, when *SSO Session Idle* set to 30 minutes, the session won't
be
invalidated after exactly 30 minutes, but rather after 32 minutes. That
note explains,
why this behaviour is needed / necessary.


>
> But, when we set Session_max to 3 minute, then webpage is getting
> logout after 3 minutes.
>

For *SSO Session Idle* each any client requesting authentication or refresh
token within
the timeout will bump the timeout value again. On the other hand, *SSO
Session Max*
value is a hard timeout -- the session will be invalidated / expire after
this period of
time regardless of user (in)activity (if there were some requests in
between or not).


>
> So, basically it is taking session_max but session_idle is not working
> in our project.
>

See above.


>
> Could anyone please explain this behavior ? As per my understanding
> session idle time is not working. or I am not sure Is this expected
> behavior of keycloak or not ?
>
> Thanks in advance !
>
> Regards,
> Khyati Kataria
>

HTH

Regards, Jan


>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user