CODEWITHSUNDEEP
keycloakkeycloak-services
Nevo
Nevo

Reputation: 952

Keycloak session and token timeouts

I am developing an application with Keycloak as the authN service.

I would like to configure my application so that an access token has a 5 minute validity, a user will be logged out after 14 days of inactivity, and a user can remained logged on indefinitely as long as there is activity at least every 14 days.

In my realm settings, under "Access Token Lifespan" I have 5 minutes. In the Sessions tab, the SSO Session Idle is set to 14 days. In the same tab, the SSO Session Max is set to 9999 days.

When I log in with the password grant, I get an access token with an expiration 9999 days away and an refresh token with an expiration 9999 days away. I expected an access token with an expiration 5 minutes out and a refresh token with an expiration 14 days out.

What did I do wrong?

Upvotes: 7

Views: 19312

Answers (4)

kim
kim

Reputation: 331

You have to change the client access token lifespan, not the token settings on the realm settings.

  • Go to Clients
  • click on your client
  • click the Advanced tab
  • Scroll down to the Advanced settings section

You will see the Access Token Lifespan, Client Session Idle, and Client Session Max properties. Those are the ones which control your token expires_in and refresh_expires_in values.

Upvotes: 0

Reshma Kachhadiya
Reshma Kachhadiya

Reputation: 59

this is API to change "Access Token Lifespan" of client in keyclock

curl --location --request PUT ‘Your Keyclock Host/admin/realms/{RealmName}/clients/{Client_id}’ \

--header 'Authorization: Bearer {Admin Access TOKAN}’
--header 'Content-Type: application/json'
--data '{

    "id": "{Client_id}",
    "attributes": {
        "access.token.lifespan": 1500 // Give in seconds
    }

}'

Before set the Access Token Lifespan make sure to check "SSO Session Max" in session. tab of Realm settings. "SSO Session Max" it will grater then of "Access Token Lifespan" otherwise access.token.lifespan will be override by SSO Session Max

Upvotes: 1

Aman Godara
Aman Godara

Reputation: 521

make sure you are making all of these changes in the same realm as to which you are logging-in.

Upvotes: 1

dreamcrash
dreamcrash

Reputation: 51513

When I log in with the password grant, I get an access token with an expiration 9999 days away and an refresh token with an expiration 9999 days away. I expected an access token with an expiration 5 minutes out and a refresh token with an expiration 14 days out.

Your expectation is correct; more details on why can be read here.

It seems to be some kind of bug (overflow maybe?!) on the Keycloak side. If you used 999 days instead of 9999 days, the access token will be 5 minutes and the refresh token will be 14 days has you expected.

From my tests on Keycloak 18 you can go until 5419 days without any problem.

Today is 19/03/2023 and 5420 days from now is 19/01/2038 so basically seems to me to be a manifestation of the Year 2038 Problem.

Upvotes: 9

Related Questions