token docs

docbook/reference/en/en-US/master.xml

@@ -18,6 +18,7 @@
                 <!ENTITY Migration SYSTEM "modules/MigrationFromOlderVersions.xml">
                 <!ENTITY Email SYSTEM "modules/email.xml">
                 <!ENTITY Roles SYSTEM "modules/roles.xml">
+                <!ENTITY Timeouts SYSTEM "modules/timeouts.xml">
                 ]>
 
 <book>
@@ -93,6 +94,7 @@
         &Email;
     </chapter>
     &Roles;
+    &Timeouts;
     &Migration;
 
 </book>

docbook/reference/en/en-US/modules/timeouts.xml

@@ -0,0 +1,40 @@
+<chapter id="timeouts">
+    <title>Cookie Timeouts and Token Lifespans</title>
+    <para>
+        If you go to the Settings->Token page of the Keycloak adminstration console there is a bunch of fine tuning
+        you can do as far as login session timeouts go.
+    </para>
+    <para>
+        If you turn on the <literal>Remember Me</literal> switch in the admin console, your login pages will show a
+        "Remember Me" checkbox.  This will set the central login SSO cookie to be a persistent cookie rather than a session
+        cookie.  So, if you close your browser, you may still be logged in if you've checked the "Remember Me" checkbox.
+    </para>
+    <para>
+        The <literal>Central Login Lifespan</literal> sets how long a central login is valid for.  When you are redirected
+        to the Keycloak Server for authentication, and you have already logged in, the Keycloak Server will refresh the
+        cookie used to remember you by between visits.  So, the lifespan time is reset.  If you have "Remember Me"
+        set up, you may want to set this lifespan to be days, weeks, or even months.  Usually though you want it long
+        enough so users can browser various applications that are secured centrally by keycloak in one login session.
+    </para>
+    <para>
+        The <literal>Access Token Lifespan</literal> is how long an access token is valid for.  An access token contains everything
+        an application needs to authorize a client.  It contains roles allowed as well as other user information.  When
+        an access token expires, your application will attempt to refresh it using a refresh token that it obtained in the
+        initial login.  The value of this configuration option should be however long you feel comfortable with the
+        application not knowing if the user's permissions have changed.  This value is usually in minutes or hours.
+    </para>
+    <para>
+        The <literal>Refresh Token Lifespan</literal> is how long a refresh token is valid for.  The value of this is relative
+        to how comfortable you feel with how long you want an application's session to be valid.  This value is usually
+        measured in minutes or hours and should be longer than the Access Token Lifespan.
+    </para>
+    <para>
+        The <literal>Access Code Lifespan</literal> is how long an access code is valid for.  An access code is obtained
+        on the 1st leg of the OAuth 2.0 redirection protocol.  This should be a short time limit.  Usually seconds.
+    </para>
+    <para>
+        The <literal>Access Code Action Lifespan</literal> is how long a user is allowed to attempt a login.  When a user tries
+        to login, they may have to change their password, set up TOTP, or perform some other action before they are redirected
+        back to your application as an authentnicated user.  This value is relatively short and is usually measured in minutes.
+    </para>
+</chapter>