40 lines
No EOL
2.9 KiB
XML
Executable file
40 lines
No EOL
2.9 KiB
XML
Executable file
<chapter id="timeouts">
|
|
<title>Cookie Timeouts and Token Lifespans</title>
|
|
<para>
|
|
If you go to the Settings->Token page of the Keycloak adminstration console there is a bunch of fine tuning
|
|
you can do as far as login session timeouts go.
|
|
</para>
|
|
<para>
|
|
If you turn on the <literal>Remember Me</literal> switch in the admin console, your login pages will show a
|
|
"Remember Me" checkbox. This will set the central login SSO cookie to be a persistent cookie rather than a session
|
|
cookie. So, if you close your browser, you may still be logged in if you've checked the "Remember Me" checkbox.
|
|
</para>
|
|
<para>
|
|
The <literal>Central Login Lifespan</literal> sets how long a central login is valid for. When you are redirected
|
|
to the Keycloak Server for authentication, and you have already logged in, the Keycloak Server will refresh the
|
|
cookie used to remember you by between visits. So, the lifespan time is reset. If you have "Remember Me"
|
|
set up, you may want to set this lifespan to be days, weeks, or even months. Usually though you want it long
|
|
enough so users can browser various applications that are secured centrally by keycloak in one login session.
|
|
</para>
|
|
<para>
|
|
The <literal>Access Token Lifespan</literal> is how long an access token is valid for. An access token contains everything
|
|
an application needs to authorize a client. It contains roles allowed as well as other user information. When
|
|
an access token expires, your application will attempt to refresh it using a refresh token that it obtained in the
|
|
initial login. The value of this configuration option should be however long you feel comfortable with the
|
|
application not knowing if the user's permissions have changed. This value is usually in minutes or hours.
|
|
</para>
|
|
<para>
|
|
The <literal>Refresh Token Lifespan</literal> is how long a refresh token is valid for. The value of this is relative
|
|
to how comfortable you feel with how long you want an application's session to be valid. This value is usually
|
|
measured in minutes or hours and should be longer than the Access Token Lifespan.
|
|
</para>
|
|
<para>
|
|
The <literal>Access Code Lifespan</literal> is how long an access code is valid for. An access code is obtained
|
|
on the 1st leg of the OAuth 2.0 redirection protocol. This should be a short time limit. Usually seconds.
|
|
</para>
|
|
<para>
|
|
The <literal>Access Code Action Lifespan</literal> is how long a user is allowed to attempt a login. When a user tries
|
|
to login, they may have to change their password, set up TOTP, or perform some other action before they are redirected
|
|
back to your application as an authentnicated user. This value is relatively short and is usually measured in minutes.
|
|
</para>
|
|
</chapter> |