You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Originally posted by canidae January 27, 2023 Question:
Can OIDC cookies expire time be set to refresh token expire time, rather than id token expire time? I believe the answer is "no", so the question really is: Can it be implemented?
Details:
We're using Keycloak as IdP, where we've set id/access token lifetime to the default 5 minutes, but "SSO Session Idle" and "SSO Session Max" (which cause refresh tokens to have the lowest value of these two as expire time) is set much higher (several days in our case).
The problem we've encountered is that Quarkus sets the expire time of the cookies containing the tokens to id/access token expire time plus quarkus.oidc.authentication.session-age-extension (default 5 minutes). Essentially this means that even if the refresh token is valid for days, a logged in user that is idle for more than 10 minutes (5 minutes access token lifetime plus 5 minutes session-age-extension) will have to reauthenticate, even though the refresh token still is valid.
We've solved this by setting a large value for session-age-extension, but it seems like this could've been better solved by setting cookie expire time to match refresh token expire time.
The text was updated successfully, but these errors were encountered:
sberyozkin
changed the title
Support aligning OIDC session cookie lifetime with the refresh token lifetime
Support aligning OIDC session lifetime with the refresh token lifetime
Jan 31, 2023
Discussed in #30655
Originally posted by canidae January 27, 2023
Question:
Can OIDC cookies expire time be set to refresh token expire time, rather than id token expire time? I believe the answer is "no", so the question really is: Can it be implemented?
Details:
We're using Keycloak as IdP, where we've set id/access token lifetime to the default 5 minutes, but "SSO Session Idle" and "SSO Session Max" (which cause refresh tokens to have the lowest value of these two as expire time) is set much higher (several days in our case).
The problem we've encountered is that Quarkus sets the expire time of the cookies containing the tokens to id/access token expire time plus
quarkus.oidc.authentication.session-age-extension
(default 5 minutes). Essentially this means that even if the refresh token is valid for days, a logged in user that is idle for more than 10 minutes (5 minutes access token lifetime plus 5 minutes session-age-extension) will have to reauthenticate, even though the refresh token still is valid.We've solved this by setting a large value for
session-age-extension
, but it seems like this could've been better solved by setting cookie expire time to match refresh token expire time.The text was updated successfully, but these errors were encountered: