Location>code7788 >text

Notes on keycloak~token configuration

Popularity:828 ℃/2024-10-23 08:53:48

Session validity

In Keycloak, "SSO Session Idle" and "SSO Session Max" are two parameters used to configure Single Sign-On (SSO) sessions. These two parameters affect the session expiration and maximum validity time of a user in the system.

  1. SSO Session Idle (single sign-on session idle time):

    • Definition: A time threshold indicating that a user has no activity in the system. If a user does not interact with the system during this time, their single sign-on session is considered to be in an idle state.

    • Practical implications: When a user logs in and does not perform any actions for a period of time, the system will assume that the user is no longer active, at which point you can choose to automatically log the user out after a certain amount of time to improve security. For example, set it to 30 minutes, if the user does not perform any action within 30 minutes, their session will be considered idle and you can choose to ask the user to re-verify their identity.

  2. SSO Session Max (Single Sign-On Session Max):

    • Definition: Indicates the maximum effective time for a user's single sign-on session. Even if a user has been active in the system, their session will be forced to log off when this time threshold is reached.

    • Practical implications: Even if a user has been active in the system, for security and resource management purposes, a maximum time can be set after which the user will be forced to log back in to ensure their authentication status is up to date. For example, set it to 8 hours and the user's session will expire after 8 hours and they will need to log back in.

These two parameters are often associated with a balance between security and user experience. Setting them too short may result in users needing to re-login frequently, while setting them too long may increase security risks. The exact settings should be determined based on your application's security needs and user behavior.

Client Session Validity

"Client Session Idle" and "Client Session Max" are two parameters used in Keycloak to configure client sessions. These two parameters affect the session expiration and maximum validity time associated with the client.

  1. Client Session Idle:

    • Definition: A time threshold indicating that there is no activity between a user and a specific client. If the user does not interact with a specific client during this time, the session associated with that client is considered to be in an idle state.

    • Practical implications: When a user establishes a session with a specific client and then does not perform any operations with that client for a period of time, the system assumes that the user's session with that client is idle. This can be used to automatically log out of a session with a client to improve security.

  2. Client Session Max:

    • Definition: Indicates the maximum effective time for a user's session with a specific client. Even if the user has been interacting with a specific client, when this time threshold is reached, the session associated with that client will be forced to log off.

    • Practical implications: Even if a user has been active with a specific client, for security and resource management purposes, it is possible to set a maximum time after which the session associated with that client will be forced to end and the user may need to re-authenticate.

These two parameters are typically associated with client-related session management and security. Setting them too short may result in users needing to re-authenticate frequently, while setting them too long may increase security risks. The exact settings should be determined based on your application's security needs and user behavior.

Session expiration date Whoever is small uses whoever

In Keycloak, the session validity is indeed determined by the minimum of these parameters. In other words, if "SSO Session Idle", "SSO Session Max", "Client Session Idle", and "Client Session Max" are set, the session will expire in the time period defined by the smallest value in these parameters.

This behavior is to ensure that session validity is strictly limited in all relevant configurations to provide more precise control. This also means that both the overall single sign-on session validity and the session validity associated with a specific client will be limited by a minimum value.

idle session

Idle time piece, keycloak14.0.0 some bugs, this piece I carried out the source code adjustment, when session max and session idle is different, the user in the session idle time does not operate, the user session will also timeout.

In Keycloak, there are four setup parameters related to Idle Session. Their roles and relationships are as follows:

  1. Offline Session Idle: This is a parameter in Keycloak's field settings that defines the timeout for an idle session. When a user does not interact with Keycloak in any way for a period of time, the session is considered to be in an idle state. By default, this parameter is set to 30 days.

  2. Offline Session Max Limited (Field Settings): this is a parameter in Keycloak's field settings that defines the maximum duration of an idle session. This parameter defines the maximum duration of the session, in seconds, from the start of the session to the end of the session. After this time period is exceeded, the session will be marked as expired and will be destroyed. By default, this parameter is also set to 30 days.

  3. Offline Session Max: This is a parameter in Keycloak's client settings that defines the maximum duration of an idle session for a specific client. Each client can have its own idle session maximum duration to allow clients with different needs to have different session durations. By default, it inherits from the "Offline Session Max Limited" value of the field.

  4. Client Offline Session Idle: This is a parameter in Keycloak's Client Settings that defines the idle session timeout for a particular client. Each client can have its own idle session timeout to allow clients with different needs to have different session durations. By default, it is inherited from the field's "Offline Session Idle" value.

Together, these parameters are used to control the timeout and maximum duration of an idle session." Offline Session Idle" and "Client Offline Session Idle" determine the amount of time a session is considered idle when the user has not had any interaction with Keycloak. And "Offline Session Max Limited" and "Offline Session Max" determine the maximum time a session can last. If the session exceeds this time period, it will be destroyed.

Note that the parameters in the realm settings apply to the entire realm (realm), while the parameters in the client settings apply to specific clients. By setting different values for each client, you can adjust the session time for different client applications.

Login Timeout

  • If a user stays on the login page for a long period of time (up to the "login timeout" configured in the backend) and does not log in and submit the operation, the following message will appearLogin timeout, please restart loginprompt, at which point the page is automatically refreshed and the user simply resubmits the login request.
  • Login Timeout Configuration: Domain Settings - tokens option, as shown in Figure

For an open source framework and product learning, we are mainly in practice to summarize it, only in practice to find its problems and those "unknown" features.