SSO Session Idle and Refresh Token expiration - why do these come from the same parameter?

Getting advice
1

Hello, I am looking for advice for our use case:

  1. We have an application A - standard monolithic CRUD app deployed on j2ee app server
  2. There is also an application D consisting of a bunch of microservices (D1, D2, D3 …) secured by Keycloak with a typical architecture (request to D1 > Gateway > introspect access token in Keycloak > if ok forward request to D1, openid-connect).

The requirement is to have a single sign-on between A and D and also for A to be able to request data from the services D1/D2/D3… on behalf of the logged in user.
For this we are using OpenId Connect with Authorization Code Flow: we’ve created confidential client for application A and implemented all the necessary redirects and requests in application A.
When the users open application A for the first time, they are now redirected to keycloak D, authenticated, redirected back to A, A extracts the auth code, requests the access token and then stores it in javax.servlet.http.HttpSession for later use.

The user can then proceed to work in application A, navigating and editing different pages, some pages displaying data side-by-side from A’s database and D’s microservices (retrieved from D using the access token saved in HttpSession at login time).

The problem arises when users sit on some A-only pages (displaying data from the A’s database only) for more than “SSO Session Idle” time. It means that for this period of time no requests to D is made and so the UserSession in Keycloak expires and the next request to D returns 401 response.
Our Token Settings look like these:
SSO Session Idle = 30 minutes (our Security team will not allow raising it)
Access Token Lifespan = 5 hours
Keycloak Version = 5.0.0

It is perfectly normal for our use case for the user to work on some A-only page for 40 minutes and only then proceed to A+D page. But because SSO Session Idle is 30 minutes, this page will not open fully (only data from A will be displayed, with errors for D). Could you please advise how can we solve it?

Options we’ve considered:

  1. Using Refresh Token once we get 401 - but we can’t since SSO Session Idle and Refresh Token Expiration time are the same (refresh token has already expired)
  2. Once in 30 minutes ping D’s introspect token endpoint to prolong Keycloak User Session.
    But once access token expires after 5 hours (provided that the user still working in A in the same http session) - we can’t use the refresh token since it expired 4.5 hours ago.

We want to use the refresh token to avoid bothering user with the login form while HttpSession in A is still active (meaning the user is actively working with A).

2

Have you ever solved it?

3

Something is fishy here, I think the problem is your access token lifespan. Shouldn’t that be like 1-5 minutes, and you refresh as it expires? The docs on the SSO session idle say

The idle timeout is reset by a client requesting authentication or by a refresh token request.

So this is by design. It works by saying “I will consider this user SSO idle if he doesn’t refresh his token in 30 minutes”. Modern security best practice is to keep your auth token lifetime short, force clients to refresh often. This way, if you need to revoke a session, you can just deny them that right to refresh (instead of constantly checking some introspection endpoint to make sure a user is still good). If you request an offline session, your request token should be good for 30 days, by default. (Maybe it’s something odd with 5 that’s since been changed.)

If you really need to, you can override the Access Token lifespan on a per-client basis.