From 88fb1ec7478e2df96768969bb0744d45074cebae Mon Sep 17 00:00:00 2001 From: Bill Burke Date: Mon, 24 Feb 2014 20:20:29 -0500 Subject: [PATCH] token docs --- docbook/reference/en/en-US/master.xml | 2 + .../reference/en/en-US/modules/timeouts.xml | 40 +++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100755 docbook/reference/en/en-US/modules/timeouts.xml diff --git a/docbook/reference/en/en-US/master.xml b/docbook/reference/en/en-US/master.xml index 0537e1b02d..ca2a5490a4 100755 --- a/docbook/reference/en/en-US/master.xml +++ b/docbook/reference/en/en-US/master.xml @@ -18,6 +18,7 @@ + ]> @@ -93,6 +94,7 @@ &Email; &Roles; + &Timeouts; &Migration; diff --git a/docbook/reference/en/en-US/modules/timeouts.xml b/docbook/reference/en/en-US/modules/timeouts.xml new file mode 100755 index 0000000000..133707aac2 --- /dev/null +++ b/docbook/reference/en/en-US/modules/timeouts.xml @@ -0,0 +1,40 @@ + + Cookie Timeouts and Token Lifespans + + If you go to the Settings->Token page of the Keycloak adminstration console there is a bunch of fine tuning + you can do as far as login session timeouts go. + + + If you turn on the Remember Me switch in the admin console, your login pages will show a + "Remember Me" checkbox. This will set the central login SSO cookie to be a persistent cookie rather than a session + cookie. So, if you close your browser, you may still be logged in if you've checked the "Remember Me" checkbox. + + + The Central Login Lifespan sets how long a central login is valid for. When you are redirected + to the Keycloak Server for authentication, and you have already logged in, the Keycloak Server will refresh the + cookie used to remember you by between visits. So, the lifespan time is reset. If you have "Remember Me" + set up, you may want to set this lifespan to be days, weeks, or even months. Usually though you want it long + enough so users can browser various applications that are secured centrally by keycloak in one login session. + + + The Access Token Lifespan is how long an access token is valid for. An access token contains everything + an application needs to authorize a client. It contains roles allowed as well as other user information. When + an access token expires, your application will attempt to refresh it using a refresh token that it obtained in the + initial login. The value of this configuration option should be however long you feel comfortable with the + application not knowing if the user's permissions have changed. This value is usually in minutes or hours. + + + The Refresh Token Lifespan is how long a refresh token is valid for. The value of this is relative + to how comfortable you feel with how long you want an application's session to be valid. This value is usually + measured in minutes or hours and should be longer than the Access Token Lifespan. + + + The Access Code Lifespan is how long an access code is valid for. An access code is obtained + on the 1st leg of the OAuth 2.0 redirection protocol. This should be a short time limit. Usually seconds. + + + The Access Code Action Lifespan is how long a user is allowed to attempt a login. When a user tries + to login, they may have to change their password, set up TOTP, or perform some other action before they are redirected + back to your application as an authentnicated user. This value is relatively short and is usually measured in minutes. + + \ No newline at end of file