This one has been asked a number of times before but so far there doesn’t appear to be any kind of fix.
We have a portal with about 30 apps under it. One in particular makes heavy use of ajax calls and we are seeing the connections time out with a 401 error after about 5 minutes. Session lifetimes and idle timeouts are set to >1hr in all cases but this has no apparent effect.
Anyone know why this behavior exists with keycloak?
We do not see the same problem with another well-known access management tool.
There’s no fix needed, at least not in Keycloak. It works all as designed.
When you experience 401s after 5 mins, you probably use the default ttl for access tokens, which is 5 mins. By increasing the ttl for session idle, you basically setting the expiration for the refresh token, not the access token.
Best practice (and pessimistic approach) is to check the access token every time you are using it and updating it if it’s expired (or short to expire) and then using the updated token. Optimistic approach would be to use the access token until you get 401s, then update the token and re-play the failed requests with the new token.