I have a SSO Session Idle set to 2 min and SSO Session Max set to 3 min. After I immediately log in, in my client's session list I can see my user's session is set active. However after 2 min of being inactive, which is my refresh token's expiration time, keycloak still holds my session in active sessions list. I assume Keycloak checks verification of the token periodically and that is why my session is still being seen as active during this period. Is there a way to configure that time interval? Or is there any other reason why my session still shown as active?
I set everything to 1 just to make sure that my token is expired after 3 min and the session is not supposed to be in the list
Related
When I try to set the access token lifespan (or any time related field, really) for a client, it only works when the specified time is lower than the time specified in the realm settings.
Let's say I have set the Access Token Lifespan, SSO Session Max and Client Session Max all to 1 day in my realm settings.
I have two clients, one public and oneconfidential.
For the public client, 1 day is fine. But for the confidential client I want to increase the Client Session Max and Access Token Lifespan to e.g. 7 days. I set this under "Advanced Settings" in the client settings in the admin console. However, this doesn't work. The expires_in from the access token response will always be 86400 seconds.
If I decrease the client specific settings to, e.g. 10 minutes, it does work.
How can I increase the the Token lifespan per client? Is it even possible? If not, is this by design or maybe a bug? (I'm using Keycloak 15.0.2).
I'd expect it to work, as I want the realm to provide "maximum security" and then only lower it per client as a conscious decision (also, hovering the ?-icon says: "If not set, it uses the standard SSO Session Max value.")
I am very new to keycloak and want to use it for SSO, but some of our apps want to have different session expiration length, say App A is 4 hours, App B is 8 hours.
To make this work, I will need to set the keycloak to the shortest expiration time, in this case is 4 hours.
Is this the only way? Or by a long shot, keycloak can treat each client differently?
eg.
Keycloak session set to 16 hours, if request from App A, it will force user to login?
https://keycloak/oicd/login/?client_id=app_a&....
It is not clear what session means in your case. User is logged, when app has valid id/access token, which is usually short lived, e.g. 5 min and app refreshes/renews tokens periodically (for example with refresh tokens). In theory that refresh can be running indefinitely, but actually Offline Session timeouts are applied for refresh token, so it can be limited.
There is also IdP SSO session on top of that, which mean that user/app will get token without asking for user credential, when user is redirected to the IdP login page = user was authenticated recently and it still has that SSO session.
Anyway, Keycloak gives you option to customize session/token timeouts on the realm level:
Some of those timeouts can be overwritten also on the client level:
Note: there can be many dependencies, between all those timeouts, so always test your setup to see how it fits your needs. Example, how it can be complicated: How to specify refresh tokens lifespan in Keycloak
I have access token that should be valid for 10 hours, but it expires after 30 minutes. I use it to call Keycloak rest api and it works for half an hour, but after that I get 401 - Unauthorized. I decoded it on jwt.io and exp claim is 10 hours after I aquired it. I checked system time and everything seems fine. What could be the problem?
Since you have not shared your config, I am assuming you are setting "Access Token Lifespan" as 10 hours (same is reflected in your jwt as you mentioned).
To avoid the login again and again, you need to set SSO session time as 10 hours. (See 2 and 3 highlighted in below image.)
Now coming to access token, if you are using a browser to test your api, you can set it to any value less than your SSO session value. As the session cookie will be automatically handled by the keycloak.
However, if you are using PostMan or other client to test your API and want to use same token for 10 hours, then set you access token also to 10 hours.
For more details, refer: https://www.keycloak.org/docs/latest/server_admin/#_timeouts
Given an example here for a normal web app.
Traditionally, we use session and set timeout = 30 minutes. if session expires we will redirect user to login. (Expired time will be extended when user/browser interact with web app)
Using JWT, how to achieve that?
I know something about "token refresh", when short-time token expires it will refresh a new one using refresh-token.
But it looks like it don't care about whether user is interacting with web app or not. So as long as refresh-token is alive, the browser can always get a new short-life JWT.
So the question is: How to extend token expiring time if user is not active for a set period using JWT?
When the user interacts with your server then your server can decide to issue another JWT with a new expiration time (not at each request but e.g. 5 min before the current JWT expiration time). If the client receives a new JWT, then it replaces the old one.
When the user does nothing, no new JWT is issued and the JWT will become invalid after the timeout.
If the user is active, then issue a new JWT every time the user enter in the web application and every period of time (for example 1 hour)
If the user is not active but the browser is open, it can request a new JWT to server in background. The token must be requested before expiry time and then replace the token in localStorage or cookie. This technique also can be applied to standalone applications
If browser can not request a new token (closed, not active, etc) then the token will expire and you can redirect user to login in the some way that if server session expires
Check this JWT (JSON Web Token) automatic prolongation of expiration
For my application we have not mentioned any explicit timeout and forms authentication cookie is set by default with expiration time 30 min and Sliding Expiration true. I came to know that the sliding expiration will reset the expiration time after 15 min.
In the cookie the only information I see is encrypted text and expiry time is not mentioned explicitly. Then How application tracks this cookie to expiration. Will the encrypted text gets updated after 15 min or is this tracking happening on server side for a particular session?