Skip to content

keycloak: Set SSO Session Idle to one week, Session Max to one month

It enables to extend an OpenID Connect refresh token expiration from 30 minutes to one week.

It means a user does not have to login with his credentials again during that idle period.

For instance when a user logged in into SWH Web Applications using a browser, if he visits the website again during that idle period he will remain connected to his authenticated session.

Please note that it does not affect user permissions encoded in OIDC access tokens that are renewed every 5 minutes.

Found host kelvingrove.internal.softwareheritage.org
Cloning into '/tmp/swh-ocd.tRNPqiYk/environments/production/data/private'...
done.
Cloning into '/tmp/swh-ocd.tRNPqiYk/environments/staging/data/private'...
done.
*** Running octocatalog-diff on host kelvingrove.internal.softwareheritage.org
I, [2021-05-06T15:41:03.438354 #568859]  INFO -- : Catalogs compiled for kelvingrove.internal.softwareheritage.org
I, [2021-05-06T15:41:03.694366 #568859]  INFO -- : Diffs computed for kelvingrove.internal.softwareheritage.org
diff origin/production/kelvingrove.internal.softwareheritage.org current/kelvingrove.internal.softwareheritage.org
*******************************************
  Keycloak_realm[SoftwareHeritageStaging] =>
   parameters =>
     sso_session_idle_timeout =>
      + 604800
     sso_session_max_lifespan =>
      + 2592000
*******************************************
  Keycloak_realm[SoftwareHeritage] =>
   parameters =>
     sso_session_idle_timeout =>
      + 604800
     sso_session_max_lifespan =>
      + 2592000
*******************************************
  Keycloak_realm[master] =>
   parameters =>
     sso_session_idle_timeout =>
      + 604800
     sso_session_max_lifespan =>
      + 2592000
*******************************************
*** End octocatalog-diff on kelvingrove.internal.softwareheritage.org

Related to T3272


Migrated from D5704 (view on Phabricator)

Merge request reports