Replies: 5 comments 4 replies
-
/cc @pedroigor (oidc), @sberyozkin (oidc) |
Beta Was this translation helpful? Give feedback.
-
@canidae Hi, but the refresh token lifespan is not about the session lifespan, but about refreshing the ID/access tokens, so please add
which should be enough if the user has returned just before the session age extension has also expired, and
That will auto-refresh the tokens once the ID token is within 5 mins of getting expired (Typing those properties by memory right now, please check, one of them might be in the |
Beta Was this translation helpful? Give feedback.
-
Heya @sberyozkin. I think you may have misinterpreted the problem. We do have Edit: |
Beta Was this translation helpful? Give feedback.
-
Right, as it is in the cookie, it is important to make sure the cookie is returned before it has expired, and indeed Am I still missing your question/point :-) ? |
Beta Was this translation helpful? Give feedback.
-
This background thread in the page can ping the endpoint say every 30 secs or 10 secs, and as soon as the id token will be withing the configured skew, the auto-refresh will happen |
Beta Was this translation helpful? Give feedback.
-
Question:
Can OIDC cookies expire time be set to refresh token expire time, rather than id token expire time? I believe the answer is "no", so the question really is: Can it be implemented?
Details:
We're using Keycloak as IdP, where we've set id/access token lifetime to the default 5 minutes, but "SSO Session Idle" and "SSO Session Max" (which cause refresh tokens to have the lowest value of these two as expire time) is set much higher (several days in our case).
The problem we've encountered is that Quarkus sets the expire time of the cookies containing the tokens to id/access token expire time plus
quarkus.oidc.authentication.session-age-extension
(default 5 minutes). Essentially this means that even if the refresh token is valid for days, a logged in user that is idle for more than 10 minutes (5 minutes access token lifetime plus 5 minutes session-age-extension) will have to reauthenticate, even though the refresh token still is valid.We've solved this by setting a large value for
session-age-extension
, but it seems like this could've been better solved by setting cookie expire time to match refresh token expire time.Beta Was this translation helpful? Give feedback.
All reactions