SSO Idle Timeout

EnesToptas · August 5, 2020, 8:52am

Hello,

I have a nodejs app with a react front end. I want that if a user doesn’t do anything in the browser for a while he must be logged out. So I set the SSO Idle Timeout to 1 minute, for trying. But it doesn’t seem to work. I login to the app and just wait at the page, click on nothing, but even after more than 1 minute, when I refresh the page I am still logged in. How can I solve this?

Also I am leaving my express-session configuration in case it is related to it.

app.use(session({

    name: config.SESSION_NAME,

    secret: config.SESSION_SECRET,

    resave: false,

    saveUninitialized: true,

    proxy: true,

    rolling: false,

    cookie: {

        expires: 2*60*60*1000  .

    },

    store: memoryStore

}));

EnesToptas · August 5, 2020, 10:46am

UPsie guysss pls im gonna get fired unless i solve this by tomorrow

klinux · August 5, 2020, 1:39pm

SSO Session Idle Timeout is the time that refresh_token has to refresh access_token, what is the configuration of access_token duration, in option Access Token Lifespan?

And I think that you have to implement a idle in your application, after X time idle, your app have to logout the sessioin.

Are you using the keycloak js libary? I think that some things like that are resolved on the library.

EnesToptas · August 5, 2020, 3:51pm

Access Token Lifespan is 5 minutes and SSO Session Idle is 30 minutes. Yes I am using the official nodejs adapter. If I have to do it on the server-side, how can I do it?

klinux · August 5, 2020, 4:00pm

Remember, when you lower the SSO Idle Session, you have to lower the access token lifespan. You have to renew access token before session idle reached. Ex. SSO Idle Session is 1 minut, access token lifespan needs to lower than.

EnesToptas · August 5, 2020, 5:36pm

I have done that but doing that absolutely does nothing, it doesn’t log me out.

rooch84 · August 12, 2020, 7:34am

Do you still have your job? If so, do you still need help with this?

EnesToptas · August 12, 2020, 10:43am

YEAH I KEPT MY JOB BUT I HAD TO DO SOME THINGS I REALLY DON’T WANT TO NAME. any help is still more than appreciated.

rooch84 · August 12, 2020, 11:02am

For a full logout, you need the user to visit the logout end point (/user/logout). You could you use a timeout to redirect them if there is no activity.

dominicdettabp · August 12, 2020, 1:04pm

Hi maybe there are some callback events of keycloak adapter js that can help you to develop what you want, read the doc.
If you are using react wrapper I recommend you to read their doc too.

dominicdettabp · August 12, 2020, 2:13pm

A solution would be to pass a callback when initializing the keycloak instance which set a timeout function to calculate the expiration and execute logout.

EnesToptas · August 12, 2020, 2:26pm

Can that determine inactivity? That makes sense though. @dominicdettabp

EnesToptas · August 12, 2020, 2:28pm

Is there a way to determine inactivity? or do you suggest that I reset the timer in every http request?

rooch84 · August 12, 2020, 2:53pm

I would also do the latter. It’s on my backlog, but because I regularly poll for data it’s non-trivial for my use case. I use the endpoint to sign users out of multiple browser sessions.

EnesToptas · August 12, 2020, 9:12pm

Ok thanks a lot. Will give it a try.

dominicdettabp · August 13, 2020, 6:42am

As you already suggested I would reset the timer in every http request.

Topic		Replies	Views
SSO Session Idle: session is still active after expiration idle timeout Getting advice authentication , oidc	4	1915	March 24, 2023
Destroy session after SSO session idle expired Getting advice	0	756	December 22, 2021
Sso idle timeout/logout Securing applications	0	622	June 23, 2020
Tokens expiring too soon Configuring the server authentication , oidc	4	5032	October 30, 2021
SSO Session Idle and Refresh Token expiration - why do these come from the same parameter? Getting advice	2	9123	May 23, 2020

SSO Idle Timeout

Related Topics