keycloak-scim/server_admin/topics/sessions/timeouts.adoc

[[_timeouts]]

=== Session and Token Timeouts

{project_name} gives you fine grain control of session, cookie, and token timeouts.  This is all done on the
`Tokens` tab in the `Realm Settings` left menu item.

.Tokens Tab
image:{project_images}/tokens-tab.png[]

Let's walk through each of the items on this page.

|===
|Configuration|Description

|Revoke Refresh Token
|For OIDC clients that are doing the refresh token flow, this flag, if on, will revoke that refresh token and issue another with the request that the client has to use.
 This basically means that refresh tokens have a one time use.

|SSO Session Idle
|Also pertains to OIDC clients.  If the user is not active for longer than this timeout, the user session will be invalidated.  How is idle time checked?
A client requesting authentication will bump the idle timeout.  Refresh token requests will also bump the idle timeout.
There is a small window of time that is always added to the idle timeout before the session is actually invalidated (See note below).

|SSO Session Max
|Maximum time before a user session is expired and invalidated.  This is a hard number and time.  It controls the maximum time
 a user session can remain active, regardless of activity.

|Offline Session Idle
|For <<_offline-access, offline access>>, this is the time the session is allowed to remain idle before the offline token is revoked.
There is a small window of time that is always added to the idle timeout before the session is actually invalidated (See note below).

|Offline Session Max Limited
|For <<_offline-access, offline access>>, if this flag is on, Offline Session Max is enabled to control the maximum time the offline token can remain active, regardless of activity.

|Offline Session Max
|For <<_offline-access, offline access>>, this is the maximum time before the corresponding offline token is revoked. This is a hard number and time. It controls the maximum time the offline token can remain active, regardless of activity.

|Access Token Lifespan
|When an OIDC access token is created, this value affects the expiration.

|Access Token Lifespan For Implicit Flow
|With the Implicit Flow no refresh token is provided. For this reason there's a separate timeout for access tokens created with the Implicit Flow.

|Client login timeout
|This is the maximum time that a client has to finish the Authorization Code Flow in OIDC.

|Login timeout
|Total time a login must take.  If authentication takes longer than this time then the user will have to start the authentication process over.

|Login action timeout
|Maximum time a user can spend on any one page in the authentication process.

|User-Initiated Action Lifespan
|Maximum time before an action permit sent by a user (e.g. forgot password e-mail) is expired. This value is recommended to be short because it is expected that the user would react to self-created action quickly.

|Default Admin-Initiated Action Lifespan
|Maximum time before an action permit sent to a user by an admin is expired. This value is recommended to be long to allow admins send e-mails for users that are currently offline. The default timeout can be overridden right before issuing the token.

|Override User-Initiated Action Lifespan
|Permits the possibility of having independent timeouts per operation (e.g. e-mail verification, forgot password, user actions and Identity Provider E-mail Verification). This field is non mandatory and if nothing is specified it defaults to the value configured at _User-Initiated Action Lifespan_.
|===

NOTE: For idle timeouts, there is a small window of time (2 minutes) during which the session is kept unexpired. For example, when you have
timeout set to 30 minutes, it will be actually 32 minutes before the session is expired. This is needed for some corner-case scenarios in
cluster and cross-datacenter environments, in cases where the token was refreshed on one cluster node for a very short time before the
expiration and the other cluster nodes would in the meantime incorrectly consider the session as expired, because they had not yet received
the message about successful refresh from the node which did the refresh.
sessions 2016-05-27 20:12:07 +00:00			`[[_timeouts]]`

			`=== Session and Token Timeouts`

Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`{project_name} gives you fine grain control of session, cookie, and token timeouts. This is all done on the`
sessions 2016-05-27 20:12:07 +00:00			`Tokens` tab in the `Realm Settings` left menu item.

			`.Tokens Tab`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`image:{project_images}/tokens-tab.png[]`
sessions 2016-05-27 20:12:07 +00:00
			`Let's walk through each of the items on this page.`

			`\|===`
			`\|Configuration\|Description`

			`\|Revoke Refresh Token`
Minor changes to session mgt chapter. 2016-06-06 17:15:23 +00:00			`\|For OIDC clients that are doing the refresh token flow, this flag, if on, will revoke that refresh token and issue another with the request that the client has to use.`
sessions 2016-05-27 20:12:07 +00:00			`This basically means that refresh tokens have a one time use.`

			`\|SSO Session Idle`
Minor changes to session mgt chapter. 2016-06-06 17:15:23 +00:00			`\|Also pertains to OIDC clients. If the user is not active for longer than this timeout, the user session will be invalidated. How is idle time checked?`
KEYCLOAK-6048 Document idle timeout window 2018-11-14 07:47:56 +00:00			`A client requesting authentication will bump the idle timeout. Refresh token requests will also bump the idle timeout.`
			`There is a small window of time that is always added to the idle timeout before the session is actually invalidated (See note below).`
sessions 2016-05-27 20:12:07 +00:00
			`\|SSO Session Max`
			`\|Maximum time before a user session is expired and invalidated. This is a hard number and time. It controls the maximum time`
Minor changes to session mgt chapter. 2016-06-06 17:15:23 +00:00			`a user session can remain active, regardless of activity.`
sessions 2016-05-27 20:12:07 +00:00
			`\|Offline Session Idle`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`\|For <<_offline-access, offline access>>, this is the time the session is allowed to remain idle before the offline token is revoked.`
KEYCLOAK-6048 Document idle timeout window 2018-11-14 07:47:56 +00:00			`There is a small window of time that is always added to the idle timeout before the session is actually invalidated (See note below).`
sessions 2016-05-27 20:12:07 +00:00
KEYCLOAK-7688 Offline Session Max for Offline Token 2018-06-27 22:03:20 +00:00			`\|Offline Session Max Limited`
			`\|For <<_offline-access, offline access>>, if this flag is on, Offline Session Max is enabled to control the maximum time the offline token can remain active, regardless of activity.`

			`\|Offline Session Max`
			`\|For <<_offline-access, offline access>>, this is the maximum time before the corresponding offline token is revoked. This is a hard number and time. It controls the maximum time the offline token can remain active, regardless of activity.`

sessions 2016-05-27 20:12:07 +00:00			`\|Access Token Lifespan`
Minor changes to session mgt chapter. 2016-06-06 17:15:23 +00:00			`\|When an OIDC access token is created, this value affects the expiration.`
sessions 2016-05-27 20:12:07 +00:00
Update topics/sessions/timeouts.adoc 2016-06-10 07:11:35 +00:00			`\|Access Token Lifespan For Implicit Flow`
Update topics/sessions/timeouts.adoc 2016-06-10 07:12:35 +00:00			`\|With the Implicit Flow no refresh token is provided. For this reason there's a separate timeout for access tokens created with the Implicit Flow.`
Update topics/sessions/timeouts.adoc 2016-06-10 07:11:35 +00:00
sessions 2016-05-27 20:12:07 +00:00			`\|Client login timeout`
Fixed typo in Session and Token Timeouts 2017-04-03 06:24:17 +00:00			`\|This is the maximum time that a client has to finish the Authorization Code Flow in OIDC.`
sessions 2016-05-27 20:12:07 +00:00
			`\|Login timeout`
Minor changes to session mgt chapter. 2016-06-06 17:15:23 +00:00			`\|Total time a login must take. If authentication takes longer than this time then the user will have to start the authentication process over.`
sessions 2016-05-27 20:12:07 +00:00
			`\|Login action timeout`
			`\|Maximum time a user can spend on any one page in the authentication process.`
KEYCLOAK-4627 Documentation for action token timeouts 2017-05-17 14:20:44 +00:00
			`\|User-Initiated Action Lifespan`
			`\|Maximum time before an action permit sent by a user (e.g. forgot password e-mail) is expired. This value is recommended to be short because it is expected that the user would react to self-created action quickly.`

			`\|Default Admin-Initiated Action Lifespan`
			`\|Maximum time before an action permit sent to a user by an admin is expired. This value is recommended to be long to allow admins send e-mails for users that are currently offline. The default timeout can be overridden right before issuing the token.`
[KEYCLOAK-2052] Allows independently set timeouts for e-mail verification link and rest e.g. forgot password link 2017-11-11 21:28:26 +00:00
			`\|Override User-Initiated Action Lifespan`
			`\|Permits the possibility of having independent timeouts per operation (e.g. e-mail verification, forgot password, user actions and Identity Provider E-mail Verification). This field is non mandatory and if nothing is specified it defaults to the value configured at _User-Initiated Action Lifespan_.`
sessions 2016-05-27 20:12:07 +00:00			`\|===`
KEYCLOAK-6048 Document idle timeout window 2018-11-14 07:47:56 +00:00
			`NOTE: For idle timeouts, there is a small window of time (2 minutes) during which the session is kept unexpired. For example, when you have`
			`timeout set to 30 minutes, it will be actually 32 minutes before the session is expired. This is needed for some corner-case scenarios in`
			`cluster and cross-datacenter environments, in cases where the token was refreshed on one cluster node for a very short time before the`
			`expiration and the other cluster nodes would in the meantime incorrectly consider the session as expired, because they had not yet received`
			`the message about successful refresh from the node which did the refresh.`