keycloak-scim/topics/timeouts.adoc

[[_timeouts]]
= Cookie settings, Session Timeouts, and Token Lifespans

Keycloak has a bunch of fine-grain settings to manage browser cookies, user login sessions, and token lifespans.
Sessions can be viewed and managed within the admin console for all users, and individually in the user's account management pages.
This chapter goes over configuration options for cookies, sessions, and tokens. 

== Remember Me

If you go to the admin console page of Settings->General, you should see a `Remember Me` on/off switch.
Your realm sets a SSO cookie so that you only have to enter in your login credentials once.
This `Remember Me` admin config option, when turned on, will show a "Remember Me" checkbox on the user's login page.
If the user clicks this, the realm's SSO cookie will be persistent.
This means that if the user closes their browser they will still be logged in the next time they start up their browser. 

== Session Timeouts

If you go to the Sesions and Tokens->Timeout Settings page of the Keycloak adminstration console there is a bunch of fine tuning you can do as far as login session timeouts go. 

The `SSO Session Idle Timeout` is the idle time of a user session.
If there is no activity in the user's session for this amount of time, the user session will be destroyed, and the user will become logged out.
The idle time is refreshed with every action against the keycloak server for that session, i.e.: a user login, SSO, a refresh token grant, etc. 

The `SSO Session Max Lifespan` setting is the maximum time a user session is allowed to be alive.
This max lifespan countdown starts from when the user first logs in and is never refreshed.
This works great with `Remember Me`            in that it allow you to force a relogin after a set timeframe. 

== Token Timeouts

The `Access Token Lifespan` is how long an access token is valid for.
An access token contains everything an application needs to authorize a client.
It contains roles allowed as well as other user information.
When an access token expires, your application will attempt to refresh it using a refresh token that it obtained in the initial login.
The value of this configuration option should be however long you feel comfortable with the application not knowing if the user's permissions have changed.
This value is usually in minutes. 

The `Access Token Lifespan For Implicit Flow` is how long an access token is valid for when using OpenID Connect implicit flow.
With implicit flow, there is no refresh token available.
That's why the lifespan is usually bigger than default Access Token Lifespan mentioned above.
See http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth[OpenID Connect specification] for details about implicit flow and <<_javascript_adapter,Javascript Adapter>> for some additional details on how to use it in Keycloak. 

The `Client login timeout` is how long an access code is valid for.
An access code is obtained on the 1st leg of the OAuth 2.0 redirection protocol.
This should be a short time limit.
Usually seconds. 

The `Login user action lifespan` is how long a user is allowed to attempt a login.
When a user tries to login, they may have to change their password, set up TOTP, or perform some other action before they are redirected back to your application as an authentnicated user.
This value is relatively short and is usually measured in minutes. 

== Offline Access

The Offline access is the feature described in http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess[OpenID Connect specification] . The idea is that during login, your client application will request Offline token instead of classic Refresh token.
Then the application can save this offline token in the database and can use it anytime later even if user is logged out.
This is useful for example if your application needs to do some "offline" actions on behalf of user even if user is not online.
For example periodic backup of some data every night etc. 

Your application is responsible for persist the offline token in some storage (usually database) and then use it to manually retrieve new access token from Keycloak server. 

The difference between classic Refresh token and Offline token is, that offline token will never expire and is not subject of `SSO Session Idle timeout` . The offline token is valid even after user logout or server restart.
However you need to use offline token for refresh at least once per each 30 days ( The value can be changed in admin console.
It is `Offline Session Idle timeout` ). Also if you enable option `Revoke refresh tokens`            , then each offline token can be used just once.
So after refresh, you always need to store new offline token from refresh response into your DB instead of the previous one. 

User can revoke the offline tokens in Account management UI.
The admin user can revoke offline tokens for individual users in admin console (The `Consent` tab of particular user) and he can see all the offline tokens of all users for particular client application in the settings of the client.
Revoking of all offline tokens for particular client is possible by set `notBefore` policy for the client. 

For requesting the offline token, user needs to be in realm role `offline_access` and client needs to have scope for this role.
If client has `Full scope allowed`, the scope is granted by default.
Also users are automatically members of the role as it's the default role. 

The client can request offline token by adding parameter `scope=offline_access`            when sending authorization request to Keycloak.
The adapter automatically adds this parameter when you use it to access secured URL of your application (ie.
http://localhost:8080/customer-portal/secured?scope=offline_access ). The <<_direct_access_grants,Direct Access Grant>> or <<_service_accounts,Service account>> flows also support offline tokens if you include `scope=offline_access` in the body of the authentication request.
For more details, see the `offline-access-app` example from Keycloak demo.
add 2016-04-18 15:15:25 +00:00			`[[_timeouts]]`
			`= Cookie settings, Session Timeouts, and Token Lifespans`

			`Keycloak has a bunch of fine-grain settings to manage browser cookies, user login sessions, and token lifespans.`
			`Sessions can be viewed and managed within the admin console for all users, and individually in the user's account management pages.`
			`This chapter goes over configuration options for cookies, sessions, and tokens.`

			`== Remember Me`

			If you go to the admin console page of Settings->General, you should see a `Remember Me` on/off switch.
			`Your realm sets a SSO cookie so that you only have to enter in your login credentials once.`
			This `Remember Me` admin config option, when turned on, will show a "Remember Me" checkbox on the user's login page.
			`If the user clicks this, the realm's SSO cookie will be persistent.`
			`This means that if the user closes their browser they will still be logged in the next time they start up their browser.`

			`== Session Timeouts`

			`If you go to the Sesions and Tokens->Timeout Settings page of the Keycloak adminstration console there is a bunch of fine tuning you can do as far as login session timeouts go.`

			The `SSO Session Idle Timeout` is the idle time of a user session.
			`If there is no activity in the user's session for this amount of time, the user session will be destroyed, and the user will become logged out.`
			`The idle time is refreshed with every action against the keycloak server for that session, i.e.: a user login, SSO, a refresh token grant, etc.`

			The `SSO Session Max Lifespan` setting is the maximum time a user session is allowed to be alive.
			`This max lifespan countdown starts from when the user first logs in and is never refreshed.`
			This works great with `Remember Me` in that it allow you to force a relogin after a set timeframe.

			`== Token Timeouts`

			The `Access Token Lifespan` is how long an access token is valid for.
			`An access token contains everything an application needs to authorize a client.`
			`It contains roles allowed as well as other user information.`
			`When an access token expires, your application will attempt to refresh it using a refresh token that it obtained in the initial login.`
			`The value of this configuration option should be however long you feel comfortable with the application not knowing if the user's permissions have changed.`
			`This value is usually in minutes.`

			The `Access Token Lifespan For Implicit Flow` is how long an access token is valid for when using OpenID Connect implicit flow.
			`With implicit flow, there is no refresh token available.`
			`That's why the lifespan is usually bigger than default Access Token Lifespan mentioned above.`
			`See http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth[OpenID Connect specification] for details about implicit flow and <<_javascript_adapter,Javascript Adapter>> for some additional details on how to use it in Keycloak.`

			The `Client login timeout` is how long an access code is valid for.
			`An access code is obtained on the 1st leg of the OAuth 2.0 redirection protocol.`
			`This should be a short time limit.`
			`Usually seconds.`

			The `Login user action lifespan` is how long a user is allowed to attempt a login.
			`When a user tries to login, they may have to change their password, set up TOTP, or perform some other action before they are redirected back to your application as an authentnicated user.`
			`This value is relatively short and is usually measured in minutes.`

			`== Offline Access`

			`The Offline access is the feature described in http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess[OpenID Connect specification] . The idea is that during login, your client application will request Offline token instead of classic Refresh token.`
			`Then the application can save this offline token in the database and can use it anytime later even if user is logged out.`
			`This is useful for example if your application needs to do some "offline" actions on behalf of user even if user is not online.`
			`For example periodic backup of some data every night etc.`

			`Your application is responsible for persist the offline token in some storage (usually database) and then use it to manually retrieve new access token from Keycloak server.`

			The difference between classic Refresh token and Offline token is, that offline token will never expire and is not subject of `SSO Session Idle timeout` . The offline token is valid even after user logout or server restart.
			`However you need to use offline token for refresh at least once per each 30 days ( The value can be changed in admin console.`
			It is `Offline Session Idle timeout` ). Also if you enable option `Revoke refresh tokens` , then each offline token can be used just once.
			`So after refresh, you always need to store new offline token from refresh response into your DB instead of the previous one.`

			`User can revoke the offline tokens in Account management UI.`
			The admin user can revoke offline tokens for individual users in admin console (The `Consent` tab of particular user) and he can see all the offline tokens of all users for particular client application in the settings of the client.
			Revoking of all offline tokens for particular client is possible by set `notBefore` policy for the client.

			For requesting the offline token, user needs to be in realm role `offline_access` and client needs to have scope for this role.
			If client has `Full scope allowed`, the scope is granted by default.
			`Also users are automatically members of the role as it's the default role.`

			The client can request offline token by adding parameter `scope=offline_access` when sending authorization request to Keycloak.
			`The adapter automatically adds this parameter when you use it to access secured URL of your application (ie.`
			http://localhost:8080/customer-portal/secured?scope=offline_access ). The <<_direct_access_grants,Direct Access Grant>> or <<_service_accounts,Service account>> flows also support offline tokens if you include `scope=offline_access` in the body of the authentication request.
			For more details, see the `offline-access-app` example from Keycloak demo.