Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support aligning OIDC session lifetime with the refresh token lifetime #30766

Open
sberyozkin opened this issue Jan 31, 2023 Discussed in #30655 · 1 comment
Open

Support aligning OIDC session lifetime with the refresh token lifetime #30766

sberyozkin opened this issue Jan 31, 2023 Discussed in #30655 · 1 comment
Assignees
Labels
area/oidc kind/enhancement New feature or request

Comments

@sberyozkin
Copy link
Member

Discussed in #30655

Originally posted by canidae January 27, 2023
Question:
Can OIDC cookies expire time be set to refresh token expire time, rather than id token expire time? I believe the answer is "no", so the question really is: Can it be implemented?

Details:
We're using Keycloak as IdP, where we've set id/access token lifetime to the default 5 minutes, but "SSO Session Idle" and "SSO Session Max" (which cause refresh tokens to have the lowest value of these two as expire time) is set much higher (several days in our case).
The problem we've encountered is that Quarkus sets the expire time of the cookies containing the tokens to id/access token expire time plus quarkus.oidc.authentication.session-age-extension (default 5 minutes). Essentially this means that even if the refresh token is valid for days, a logged in user that is idle for more than 10 minutes (5 minutes access token lifetime plus 5 minutes session-age-extension) will have to reauthenticate, even though the refresh token still is valid.
We've solved this by setting a large value for session-age-extension, but it seems like this could've been better solved by setting cookie expire time to match refresh token expire time.

@sberyozkin sberyozkin added kind/enhancement New feature or request area/oidc labels Jan 31, 2023
@sberyozkin sberyozkin self-assigned this Jan 31, 2023
@quarkus-bot
Copy link

quarkus-bot bot commented Jan 31, 2023

/cc @pedroigor (oidc)

@sberyozkin sberyozkin changed the title Support aligning OIDC session cookie lifetime with the refresh token lifetime Support aligning OIDC session lifetime with the refresh token lifetime Jan 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/oidc kind/enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant