How to specify refresh tokens lifespan in Keycloak

D

4

95

Keycloak refresh token lifetime is 1800 seconds:

"refresh_expires_in": 1800

How to specify different expiration time? In Keycloak admin UI, only access token lifespan can be specified:

Drumfish answered 27/8, 2018 at 13:15 Comment(0)

E

54

The refresh token lifetime is controlled by the SSO Session Idle Setting. 30 minutes = 30 * 60 = 1800 seconds (the refresh_expires_in value)

Elora answered 13/2, 2019 at 21:38 Comment(5)

Actually, it is much much much more complicated. There are many relationships between each field and you can override it on 3 different places.. To make it clear, Keycloak is a hell. But for me, I had to set Client Session Idle to 0, Client Session Max to 0, SSO Session Idle to 999 Days. After that, I can control access token timeout with Access Token Lifespan and refresh token timeout with SSO Session Max . Took me 1 hour playing with all variables. SSO Session Idle or Access Token Lifespan will be taken whichever has lower amount of time – Cervantes 3/9, 2020 at 13:44

@KubaŠimonovský the problem with setting the SSO Session Idle to 999 you lose the idle functionality basically – Matthew 20/5, 2021 at 16:16

@KubaŠimonovský I set Client Session Idle to 0, Client Session Max to 0 and SSO Session Idle to 12 hours, but still the idle session expires in 30 minutes only. What else is required? – Ashwin 22/6, 2021 at 4:24

Thanks, @KubaŠimonovský this was helpful. – Mendicity 30/7, 2021 at 7:34

In the latest version, at the moment of writing 15.0.2, the refresh_expires_in value kept being 0. To fix this, I had to switch the Offline Session Max Limited toggle to "On". – Spooner 10/12, 2021 at 11:38

M

192

As pointed out in the comments by @Kuba Šimonovský the accepted answer is missing other important factors:

Actually, it is much much much more complicated.

TL;DR One can infer that the refresh token lifespan will be equal to the smallest value among (SSO Session Idle, Client Session Idle, SSO Session Max, and Client Session Max).

After having spent some time looking into this, and now looking back at this thread, I feel that the previous answers felt short to explain in detail what is going on (one might even argue that they are wrong actually).

Let us assume for now that we only have SSO Session Idle and SSO Session Max:

and SSO Session Max > SSO Session Idle in this case the refresh token lifetime is the same as SSO Session Idle. Why? because if the application is idle for SSO Session Idle time the user gets logout and that is why the refresh token is bound to that value. Whenever the application requests a new token, both the refresh token lifetime and SSO Session Idle countdown values will be reset again;
and SSO Session Max <= SSO Session Idle then the refresh token lifetime will be the same as SSO Session Max. Why? because regardless of what the user does (i.e., idle or not) the user gets logout after SSO Session Max time, and thus why the refresh token is bound to that value.

From here we conclude that the refresh token lifespan is bound to the lowest of the two values SSO Session Idle and SSO Session Max.

Both those values are related to Single Sign-ON (SSO). We still need to consider the values of the Client Session Idle and Client Session Max fields of the realm settings, which when NOT set are the same as SSO Session Idle and SSO Session Max, respectively.

If those values are set, in the context of the refresh token, they will override the values from SSO Session Idle and SSO Session Max, BUT only if they are lower than the values from SSO Session Idle and SSO Session Max.

Let us see the following examples: SSO Session Idle = 1800 seconds, SSO Session Max = 10 hours and:

Client Session Idle = 600 seconds and Client Session Max = 1 hour. In this case, the refresh token lifespan is the same as Client Session Idle;
Client Session Idle = 600 seconds and Client Session Max = 60 seconds. In this case, the refresh token lifespan is the same as Client Session Max.
Client Session Idle = 1 day and Client Session Max = 10 Days. In this case, the refresh token lifespan is the same as SSO Session Idle;

So in short you can infer that refresh token lifespan will be equal to the smallest value between (SSO Session Idle, Client Session Idle, SSO Session Max, and Client Session Max).

So the claim from previous answers that you can simply use the Client Session Max to control the refresh token lifespan is FALSE. One just needs to look at the previous examples 1) and 3).

Finally, the fields Client Session Idle and Client Session Max from the realm settings can be overwritten by the Client Session Idle and Client Session Max in the clients themselves, which will affect the refresh token lifespan for that client in particular.

The same logic applies but instead of considering the values Client Session Idle and Client Session Max from the realm settings one needs to consider those from the client advance settings.

Matthew answered 20/5, 2021 at 16:12 Comment(0)

E

54

The refresh token lifetime is controlled by the SSO Session Idle Setting. 30 minutes = 30 * 60 = 1800 seconds (the refresh_expires_in value)

Elora answered 13/2, 2019 at 21:38 Comment(5)

Actually, it is much much much more complicated. There are many relationships between each field and you can override it on 3 different places.. To make it clear, Keycloak is a hell. But for me, I had to set Client Session Idle to 0, Client Session Max to 0, SSO Session Idle to 999 Days. After that, I can control access token timeout with Access Token Lifespan and refresh token timeout with SSO Session Max . Took me 1 hour playing with all variables. SSO Session Idle or Access Token Lifespan will be taken whichever has lower amount of time – Cervantes 3/9, 2020 at 13:44

@KubaŠimonovský the problem with setting the SSO Session Idle to 999 you lose the idle functionality basically – Matthew 20/5, 2021 at 16:16

@KubaŠimonovský I set Client Session Idle to 0, Client Session Max to 0 and SSO Session Idle to 12 hours, but still the idle session expires in 30 minutes only. What else is required? – Ashwin 22/6, 2021 at 4:24

Thanks, @KubaŠimonovský this was helpful. – Mendicity 30/7, 2021 at 7:34

In the latest version, at the moment of writing 15.0.2, the refresh_expires_in value kept being 0. To fix this, I had to switch the Offline Session Max Limited toggle to "On". – Spooner 10/12, 2021 at 11:38

S

5

In v11.0.3, under the advanced settings for the client, there are no SSO Session Idle settings (not sure if these have just been renamed, moved, or are a realm setting available elsewhere in the admin interface), so starting with default client settings, you can specify Client Session Max to control refresh token lifetime without needing to change the other duration settings (Access Token Lifetime continues as you would expect). Evidence: adjusting settings and checking refresh_expires in response.

Subkingdom answered 12/12, 2020 at 18:28 Comment(0)

B

1

The refresh tokens lifespan is defined by the "Client Session Max" parameter in the "Tokens" tab of the Realm settings.

It can also be overridden on individual clients level under the "Advanced Settings" menu of the client settings page.

Like stated in the Keycloak docs: https://www.keycloak.org/docs/latest/server_admin/#_timeouts

Client Session Max

The maximum time before a refresh token is expired and invalidated. It allows for the specification of a shorter timeout of refresh token than session timeout. And it can be overridden on individual clients. It is an optional configuration and if not set to a value bigger than 0 it uses the same idle timeout set in the SSO Session Max configuration.

Badly answered 17/5, 2021 at 8:43 Comment(0)

Recommended topics

Hot tags