SSO Session Idle vs SSO Session Max

Getting advice
1

By love of god - I can’t understand what is the difference between “SSO Session Idle” and “SSO Session Max”!

image

this is what I found from googling:
“SSO Session Idle Specify the SSO Session Idle timeout. By default, the value is set to 30 minutes. SSO Session Max Specify the maximum time before a user session is expired and invalidated. By default, the value is set to 10 hours”

In our scenario, we are doing a user login using the Admin Rest API.
and once the access token is explored we use the refresh token to create a new one.
from what I noticed that once I do that the refresh token expiration is rest to 30 minutes again.
so what is this 10 hours parameter?

our goal is that if a user is idle for more than 1 hour - he will need to do login again.
what is the best way to achieve this ?

thank!

2 Likes
2

https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/sessions/timeouts.html
Basically you need SSO Session Idle 60 Minutes
And the SSO Session Max is the max time a user can remain active, after that he needs another valid session. (your user ca start to be active after 59 Minutes about 10 times, afterwards he will need another session)

3

@edwint88
thanks for the reply!
just to make sure I got it right.
if I set SSO Session Max to 10 hours - so even if the user is active for 10 hours (and I’m using the refresh token to generate a new access token) - after 10- hours i can longer refresh the access token and the user session is no longer active (and i will have to log him out so he can reconnect)?

4

@amir
I have exacly the same problem, because I have set session idle time to 30 minutes and my application has logic where every request check validy access_token or time of expires refresh token. Could youn found reslove of this problem?

5

not sure I understand what your problem is.
all I wanted was to understand the difference and @edwint88 explained it pretty well

6

@admir
Maybe I’ll explain it again. My problem is where I set SSO Session idle on 5 minutes and whatever I do on app, Keycloak always finish my session after 5 minutes.

In keykloack events is information that refresh token works and in user’s session is information about update last access.

7

From what I recall (since we left Keycloak a while ago) if you set the SSO Session idle to 5 minutes that means that after 5 minutes the token will expire.
I think that in KC you need to check the expiration time before any action you do and if the expiration is about to expire (let’s say in 3 seconds) you need to refresh the token using KC (we used the API of KC so we refreshed it manually) and then the token will be valid for another 5 minutes

The “sso session max” means that no matter how many times you will refresh the token - after a certain time (lets say 10 hours) the session can’t be refresh anymore and new token need to be created

from what i recall the industry standards are:
access token should be 5 minutes
refresh token (SSO Session idle ) should be around 120 minutes
sso session max depends on business logic if you want a user \service token to be valid forever or not

but again, it’s all up to your needs

8

@admir
For the test I set below parametrs.
SSO Session Idle - 5 minutes
SSO Session Max - 10 hours
Access Token Lifespan - 1 minutes

Every request on my app check validy access token. If expires_in is expired then refresh token get new access token. The parameters changed after each access token refresh

lol

9

After time SSO Session idle I see in events below information

var2
var21297×374 78 KB