Hello, I am looking for advice for our use case:
- We have an application A - standard monolithic CRUD app deployed on j2ee app server
- There is also an application D consisting of a bunch of microservices (D1, D2, D3 …) secured by Keycloak with a typical architecture (request to D1 > Gateway > introspect access token in Keycloak > if ok forward request to D1, openid-connect).
The requirement is to have a single sign-on between A and D and also for A to be able to request data from the services D1/D2/D3… on behalf of the logged in user.
For this we are using OpenId Connect with Authorization Code Flow: we’ve created confidential client for application A and implemented all the necessary redirects and requests in application A.
When the users open application A for the first time, they are now redirected to keycloak D, authenticated, redirected back to A, A extracts the auth code, requests the access token and then stores it in javax.servlet.http.HttpSession for later use.
The user can then proceed to work in application A, navigating and editing different pages, some pages displaying data side-by-side from A’s database and D’s microservices (retrieved from D using the access token saved in HttpSession at login time).
The problem arises when users sit on some A-only pages (displaying data from the A’s database only) for more than “SSO Session Idle” time. It means that for this period of time no requests to D is made and so the UserSession in Keycloak expires and the next request to D returns 401 response.
Our Token Settings look like these:
SSO Session Idle = 30 minutes (our Security team will not allow raising it)
Access Token Lifespan = 5 hours
Keycloak Version = 5.0.0
It is perfectly normal for our use case for the user to work on some A-only page for 40 minutes and only then proceed to A+D page. But because SSO Session Idle is 30 minutes, this page will not open fully (only data from A will be displayed, with errors for D). Could you please advise how can we solve it?
Options we’ve considered:
- Using Refresh Token once we get 401 - but we can’t since SSO Session Idle and Refresh Token Expiration time are the same (refresh token has already expired)
- Once in 30 minutes ping D’s introspect token endpoint to prolong Keycloak User Session.
But once access token expires after 5 hours (provided that the user still working in A in the same http session) - we can’t use the refresh token since it expired 4.5 hours ago.
We want to use the refresh token to avoid bothering user with the login form while HttpSession in A is still active (meaning the user is actively working with A).