I wonder about the session duration in Keycloak when the user is not active (authenticated user to a resource application that is using KC). Namely, the parameter “SSO Session Idle” should regulate that. But what I have noticed is that after this time exceeds (“SSO Session Idle”), the tokens are invalidated but the session can be refreshed by reloading the page (the related session record still exists in KC). This can be done within certain amount of time which is a mystery (unclear) to me. After that time, the session is invalidated in KC, and when I reload the page, it redirects me to the login page as expected.
My question would be: can I really control the time span between “SSO Session Idle” and the time of the complete vanishing of the session in KC when the user is not active?
Or is it something that is internal to KC, that can not be customised?
I’ve been brainfucked with this as well. Keycloak adds an internal 2 minute buffer for clustering reasons, and there doesn’t seem to be a way to configure/disable it.
If you look at the doc, somewhere it says:
For idle timeouts, a two-minute window of time exists that the session is active. For example, when you have the timeout set to 30 minutes, it will be 32 minutes before the session expires.
This action is necessary for some scenarios in cluster and cross-data center environments where the token refreshes on one cluster node a short time before the expiration and the other cluster nodes incorrectly consider the session as expired because they have not yet received the message about a successful refresh from the refreshing node.
@filou Thank you. Btw. do you know maybe what does it mean by “cluster and cross-data center environments”? I’m not sure if it applies to my environment.
Unless you are running multiple Keycloaks in different datacenters in different regions of the world, you are not doing this. Keycloak once had an ambition to be run this way, which is why they made decisions like the “2 minute buffer”, but it’s massively complex and unusably error-prone to try to set it up that way.
I don’t know about the buffer, but if it is important to you have to an exact user idle time, the SSO session idle time might not be sufficient. I had that kind of requirements, and I decided to do that directly within my application, by actively performing a logout after the timeout has been reached. The Keycloak timeouts are a secondary security mechanism that act as fallback if the application-based logout did not occur. In that regard, it does not really matter if the lifetime is two minutes more.