I use keycloak and apache2-oidc in order to protect my application. I have configure the protection and it’s working. However I have many problems with the timeout of tokens. I have not found documentation in order to explain the configuration of auth_openidc.conf in apache2 and the token configuration in Keycloak.
Issues :
When my access_token expires and I have not touched to my application : sometimes I have a 401 but when I refresh the page I’m logged.
When I am on the login page for a long time I have this error : “Invalid Authentication Response” but when I refresh the page I’m logged.
In Keycloak I configure :
Acces Token Lifespan
SSO Session Idle
In apache I don’t know how to configure : OIDCStateTimeout and OIDCSessionInactivityTimeout.
Can someone explain to me how to configure these settings ?
PS : Sorry if I made language mistakes, I’m french.
I have test a configuration, but I don’t understand the result :
My parameters (in order to test and understand) :
In Keycloak :
SSO Session Idle : 3 minutes (the time to live of refresh token)
SSO Session Max : 10 Hours (I imagine that's the maximum time of activity)
Access Token Lifespan : 2 minutes
Others parameters have long duration > 100 minutes
In mod_auth_openidc
OIDCRefreshAccessTokenBeforeExpiry 60
OIDCSessionInactivityTimeout 240
OIDCStateTimeout 10 (Not a good value, but for testing and to be sure that this value does not interfere.)
Others Timeout are default configuration
I have test several things : (for the start of connection, I changed the page…)
Before 1 minute : I conserve my Access Token
Between 1 and 3 minutes : I renew my Access Token
Between 3 and 4 minutes : I'm logout
Between 4 and 5 minutes : I'm redirect to logout page then I'm redirect to login page then I'm logging automatically and redirect to home protected page
After 5 minutes : I'm logout
Someone can explain me the behavior “Between 4 and 5 minutes” ?
