Page History
...
- Keycloak access tokens are created with the following restrictions:
- Time to Live (TTL):
- The access token will expire after the given period (Access Token Lifespan).
- The session will expire after the given period (Client Session Idle).
- The Identity Service renews the access token 20s before expiration of the session or the access token, this step is performed until Session Max is reached. This requires that the access token's TTL exceeds 60s and that the Keycloak permission for renewal of an access token by its owner is in place.
- Maximum Time to Live:
- The access token's overall lifetime is limited (Session Max), renewals cannot take place after the specified period.
- Time to Live (TTL):
- If an access token cannot be renewed by the Identity Service then the user session is terminated and the user is forced to login and to specify credentials.
- This happens in the event that the maximum TTL is exceeded or that the token is revoked.
- Keycloak administrators should check for reasonable values of the session TTL (Session Idle) and the Access Token Lifespan, maybe not less than 300s, and the maximum TTL (Session Max), maybe at least 15 minutes, as otherwise users will have to repeatedly login quite frequently.
- The JOC Cockpit handles the idle timeout of user sessions independently from Keycloak, see JS7 - Identity Services.
- If the idle timeout is exceeded then the user session is terminated.
- The Identity Service will revoke the access token with the Keycloak Server on termination of the user session.
...
Overview
Content Tools