Update docs and tooltips for lifespan and idle timeout changes
Closes https://github.com/keycloak/keycloak/issues/20791
This commit is contained in:
parent
a36be17a5c
commit
20121ee9da
7 changed files with 42 additions and 13 deletions
Binary file not shown.
After Width: | Height: | Size: 47 KiB |
|
@ -94,6 +94,33 @@ See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-mtls-08#section-3[Mut
|
|||
Currently, {project_name} client adapters do not support holder-of-key token verification. {project_name} adapters treat access and refresh tokens as bearer tokens.
|
||||
====
|
||||
|
||||
[[_client_advanced_settings_oidc]]
|
||||
*Advanced Settings for OIDC*
|
||||
|
||||
The Advanced Settings for OpenID Connect allows you to configure overrides at the client level for <<_timeouts, session and token timeouts>>.
|
||||
|
||||
image:images/client-advanced-settings-oidc.png[Advanced Settings]
|
||||
|
||||
|===
|
||||
|Configuration|Description
|
||||
|
||||
|Access Token Lifespan
|
||||
|The value overrides the realm option with same name.
|
||||
|
||||
|Client Session Idle
|
||||
|The value overrides the realm option with same name. The value should be shorter than the global *SSO Session Idle*.
|
||||
|
||||
|Client Session Max
|
||||
|The value overrides the realm option with same name. The value should be shorter than the global *SSO Session Max*.
|
||||
|
||||
|Client Offline Session Idle
|
||||
|This setting allows you to configure a shorter offline session idle timeout for the client. The timeout is amount of time the session remains idle before {project_name} revokes its offline token. If not set, realm <<_offline-session-idle,Offline Session Idle>> is used.
|
||||
|
||||
|Client Offline Session Max
|
||||
|This setting allows you to configure a shorter offline session max lifespan for the client. The lifespan is the maximum time before {project_name} revokes the corresponding offline token. This option needs <<_offline-session-max-limited,Offline Session Max Limited>> enabled globally in the realm, and defaults to <<_offline-session-max,Offline Session Max>>.
|
||||
|
||||
|===
|
||||
|
||||
[[_proof-key-for-code-exchange]]
|
||||
*Proof Key for Code Exchange Code Challenge Method*
|
||||
|
||||
|
|
|
@ -12,6 +12,8 @@ The difference between a refresh token and an offline token is that an offline t
|
|||
|
||||
If you enable <<_offline-session-max-limited, Offline Session Max Limited>>, offline tokens expire after 60 days even if you use the offline token for a refresh token action. You can change this value, <<_offline-session-max, Offline Session Max>>, in the Admin Console.
|
||||
|
||||
When using offline access, client idle and max timeouts can be overridden at the <<_client_advanced_settings_oidc,client level>>. The options *Client Offline Session Idle* and *Client Offline Session Max*, in the client *Advanced Settings* tab, allow you to have a shorter offline timeouts for a specific application. Note that client session values also control the refresh token expiration but they never affect the global offline user SSO session. The option *Client Offline Session Max* is only evaluated in the client if <<_offline-session-max-limited, Offline Session Max Limited>> is *Enabled* at the realm level.
|
||||
|
||||
If you enable the <<_revoke-refresh-token, Revoke Refresh Token>> option, you can use each offline token once only. After refresh, you must store the new offline token from the refresh response instead of the previous one.
|
||||
|
||||
Users can view and revoke offline tokens that {project_name} grants them in the <<_account-service, User Account Console>>. Administrators can revoke offline tokens for individual users in the Admin Console in the `Consents` tab. Administrators can view all offline tokens issued in the `Offline Access` tab of each client. Administrators can revoke offline tokens by setting a <<_revocation-policy, revocation policy>>.
|
||||
|
|
|
@ -24,10 +24,10 @@ image:images/sessions-tab.png[Sessions Tab]
|
|||
|This setting is similar to the standard SSO Session Max but specific to *Remember Me* logins. Users can specify longer sessions when they click *Remember Me* when logging in. This setting is an optional configuration and, if its value is not greater than zero, it uses the same session lifespan as the SSO Session Max configuration.
|
||||
|
||||
|Client Session Idle
|
||||
|If the user is inactive for longer than this timeout, refresh token requests bump the idle timeout. This setting specifies a shorter idle timeout of refresh tokens than the session idle timeout, but users can override it for individual clients. This setting is an optional configuration and, when set to zero, uses the same idle timeout in the SSO Session Idle configuration.
|
||||
|Idle timeout for the client session. If the user is inactive for longer than this timeout, the client session is invalidated and the refresh token requests bump the idle timeout. This setting never affects the general SSO user session, which is unique. Note the SSO user session is the parent of zero or more client sessions, one client session is created for every different client app the user logs in. This value should specify a shorter idle timeout than the *SSO Session Idle*. Users can override it for individual clients in the *Advanced Settings* client tab. This setting is an optional configuration and, when set to zero, uses the same idle timeout in the SSO Session Idle configuration.
|
||||
|
||||
|Client Session Max
|
||||
|The maximum time before a refresh token expires and invalidates. This setting specifies a shorter timeout of refresh tokens than the session timeout, but users can override it for individual clients. This setting is an optional configuration and, when set to zero, uses the same idle timeout in the SSO Session Max configuration.
|
||||
|The maximum time for a client session and before a refresh token expires and invalidates. As in the previous option, this setting never affects the SSO user session and should specify a shorter value than the *SSO Session Max*. Users can override it for individual clients in the *Advanced Settings* client tab. This setting is an optional configuration and, when set to zero, uses the same max timeout in the SSO Session Max configuration.
|
||||
|
||||
[[_offline-session-idle]]
|
||||
|Offline Session Idle
|
||||
|
@ -35,7 +35,7 @@ image:images/sessions-tab.png[Sessions Tab]
|
|||
|
||||
[[_offline-session-max-limited]]
|
||||
|Offline Session Max Limited
|
||||
|This setting is for <<_offline-access, offline access>>. If this flag is *ON*, Offline Session Max can control the maximum time the offline token remains active, regardless of user activity. Client Offline Session Idle and Client Offline Session Max are enabled.
|
||||
|This setting is for <<_offline-access, offline access>>. If this flag is *Enabled*, Offline Session Max can control the maximum time the offline token remains active, regardless of user activity. If the flag is *Disabled*, offline sessions never expire by lifespan, only by idle. Once this option is activated, the <<_offline-session-max, Offline Session Max>> (global option at realm level) and *Client Offline Session Max* (specific client level option in the *Advanced Settings* tab) can be configured.
|
||||
|
||||
[[_offline-session-max]]
|
||||
|Offline Session Max
|
||||
|
|
|
@ -103,10 +103,10 @@
|
|||
"advancedSettingsSaml": "This section is used to configure advanced settings of this client",
|
||||
"assertionLifespan": "Lifespan set in the SAML assertion conditions. After that time the assertion will be invalid. The \"SessionNotOnOrAfter\" attribute is not modified and continue using the \"SSO Session Max\" time defined at realm level.",
|
||||
"accessTokenLifespan": "Max time before an access token is expired. This value is recommended to be short relative to the SSO timeout.",
|
||||
"clientSessionIdle": "Time a client is allowed to be idle before refreshing tokens is invalidated. The option only affects token times and not the global SSO session. If not set, it uses the standard SSO Session Idle value.",
|
||||
"clientSessionMax": "Max time before tokens are invalidated for the client. The option only affects token times and not the global SSO session. If not set, it uses the standard SSO Session Max value.",
|
||||
"clientOfflineSessionIdle": "Time a client is allowed to be idle before refreshing offline tokens is invalidated. The option only affects token times and not the global SSO session. If not set, it uses the standard SSO Session Idle value.",
|
||||
"clientOfflineSessionMax": "Max time before offline tokens are invalidated for the client. The option only affects token times and not the global SSO session. If not set, it uses the standard SSO Session Max value.",
|
||||
"clientSessionIdle": "Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Idle value.",
|
||||
"clientSessionMax": "Max time before a client session is expired. Tokens are invalidated when a client session is expired. The option does not affect the global user SSO session. If not set, it uses the realm Client Session Max or SSO Session Max value.",
|
||||
"clientOfflineSessionIdle": "Time a client offline session is allowed to be idle before it expires. Offline tokens are invalidated when a client offline session is expired. The option does not affect the global user SSO session. If not set, it uses the realm Offline Session Idle value.",
|
||||
"clientOfflineSessionMax": "Max time before a client offline session is expired. If Offline Session Max Limited is enabled at realm level, offline tokens are invalidated when a client offline session is expired. The option does not affect the global user SSO session. If not set, it uses the realm Offline Session Max value.",
|
||||
"oAuthMutual": "This enables support for OAuth 2.0 Mutual TLS Certificate Bound Access Tokens, which means that keycloak bind an access token and a refresh token with a X.509 certificate of a token requesting client exchanged in mutual TLS between keycloak's Token Endpoint and this client. These tokens can be treated as Holder-of-Key tokens instead of bearer tokens.",
|
||||
"keyForCodeExchange": "Choose which code challenge method for PKCE is used. If not specified, keycloak does not applies PKCE to a client unless the client sends an authorization request with appropriate code challenge and code exchange method.",
|
||||
"pushedAuthorizationRequestRequired": "Boolean parameter indicating whether the authorization server accepts authorization request data only via the pushed authorization request method.",
|
||||
|
|
|
@ -506,10 +506,10 @@
|
|||
"advancedSettings": "Advanced Settings",
|
||||
"assertionLifespan": "Assertion Lifespan",
|
||||
"accessTokenLifespan": "Access Token Lifespan",
|
||||
"clientSessionIdle": "Client Token Idle",
|
||||
"clientSessionMax": "Client Token Max",
|
||||
"clientOfflineSessionIdle": "Client Offline Token Idle",
|
||||
"clientOfflineSessionMax": "Client Offline Token Max",
|
||||
"clientSessionIdle": "Client Session Idle",
|
||||
"clientSessionMax": "Client Session Max",
|
||||
"clientOfflineSessionIdle": "Client Offline Session Idle",
|
||||
"clientOfflineSessionMax": "Client Offline Session Max",
|
||||
"oAuthMutual": "OAuth 2.0 Mutual TLS Certificate Bound Access Tokens Enabled",
|
||||
"keyForCodeExchange": "Proof Key for Code Exchange Code Challenge Method",
|
||||
"pushedAuthorizationRequestRequired": "Pushed authorization request required",
|
||||
|
|
|
@ -51,8 +51,8 @@
|
|||
"ssoSessionMax": "Max time before a session is expired. Tokens and browser sessions are invalidated when a session is expired.",
|
||||
"ssoSessionIdleRememberMe": "Time a remember me session is allowed to be idle before it expires. Tokens and browser sessions are invalidated when a session is expired. If not set it uses the standard SSO Session Idle value.",
|
||||
"ssoSessionMaxRememberMe": "Max time before a session is expired when a user has set the remember me option. Tokens and browser sessions are invalidated when a session is expired. If not set it uses the standard SSO Session Max value.",
|
||||
"clientSessionIdle": "Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. If not set it uses the standard SSO Session Idle value.",
|
||||
"clientSessionMax": "Max time before a client session is expired. Tokens are invalidated when a session is expired. If not set it uses the standard SSO Session Max value.",
|
||||
"clientSessionIdle": "Time a client session is allowed to be idle before it expires. Tokens are invalidated when a client session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Idle value.",
|
||||
"clientSessionMax": "Max time before a client session is expired. Tokens are invalidated when a session is expired. The option does not affect the global user SSO session. If not set, it uses the standard SSO Session Max value.",
|
||||
"offlineSessionIdle": "Time an offline session is allowed to be idle before it expires. You need to use offline token to refresh at least once within this period; otherwise offline session will expire.",
|
||||
"offlineSessionMaxLimited": "Enable offline session max",
|
||||
"offlineSessionMax": "Max time before an offline session is expired regardless of activity.",
|
||||
|
|
Loading…
Reference in a new issue