I want to achieve following using KeyCloak. how can I do it? I am using node application using keycloak-js library.
The JWT token should include a refresh token.
The JWT access time should be set to two minutes, the refresh token expiry set to one hour.
Go to Keycloak Administrative Console.
Select your Realm.
Go to "Tokens" tab.
Set desired timeout in "SSO Session Idle" param
Refresh token timeout is controlled via "SSO Session Idle" param.
Set it to 1 hour in your case.
Bear in mind that there are no refresh tokens in "Implicit flow.
Related
I have a multitenant web api project with microsoft azure integration. I connect to microsoft, get access token and refresh token and each time before access token expiration, I call api
POST https://login.microsoftonline.com/tenant/oauth2/v2.0/token
data in request is:
grant_type=refresh_token
refresh_token=xxxxxxxxxxx
client_id=xxxxxxxxxx
I get new access token and refresh token, and after an hour get new access token with the same api and last recieved refresh token. But after 24 hours somehow my refresh token expires, and I need to reconnect and enter my credentials again.
How to make my refresh token don't expire until i revoke it manually. I need somehow update refresh token timeout in background and save my integration always connected until i revoke it manually.
I need somehow organize this to stay connected always until manual revocation. Any solution?
There is a 24 hour limit to refresh tokens under certain conditions:
Refresh tokens sent to a redirect URI registered as spa expire after
24 hours. Additional refresh tokens acquired using the initial refresh
token carry over that expiration time, so apps must be prepared to
rerun the authorization code flow using an interactive authentication
to get a new refresh token every 24 hours. Users don't have to enter
their credentials and usually don't even see any related user
experience, just a reload of your application. The browser must visit
the log-in page in a top-level frame to show the login session. This
is due to privacy features in browsers that block third party cookies.
See: https://learn.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens
I am trying implementing JWT Tokens(Access tokens and Refresh tokens), but I come to an issue on requesting a protected resource with an expired access token, while the refresh token is still valid.
I know that I should not use refresh tokens to request resources, refresh tokens should be used against authorization validators to revalidate/regenerate access tokens.
In my app, the User can log in by POST request with a valid credential to get Access token(exp. in 1min) and Refresh token(exp. in 10min.). Say now User making a request 30 sec later of login and sends both tokens, then tokens get checked and resource comes back. If now user makes a request after 2min and sends tokens, his access token is Invalid, in this scenario how can I proceed with the request and revalidate tokens.
I can think of middleware to validate and provide tokens and send that with the response, but is this the right approach?
Then I need to handle and restore tokens on the client-side for every response. Don't I?
Also, I do not want to prompt users to re-login. I am using Node and Express for Server and React on Client.
Here are your steps:
Try to login
Receive 401 from server when token is invalid
Request a new access token by making a new refresh request.
Set the new access token and refresh token
Retry original request
This has to be done on the client side because it is the audience that gets validated for authorization.
Usually we don't set the access token to expire every minute because the described process would add too much latency to the process.
Edit from #MComment:
5 min for access tokens and 30 min up to a few hours is what is generally recommended for respectively access and refresh tokens. Usually Authorization Servers offer "rolling refresh" - refresh token's expiration is renewed whenever you use it. This way a user stays logged in as long as they are actively using the website
You can update expired date of access token in every request, no need to regenerate token.
I think session time you set is not normal and recommended.
If you dont want user must re-login, make a forever refresh token, create a function in reactjs for re-generate access token by refresh token if it expired.
Revoke refresh token only when u want to logout from this client.
Following documentation single-page applications using the authorization code flow with PKCE always have a refresh token lifetime of 24 hours.
I have the same scenario but I wonder if it is possible to set that refresh token expiration time on shorten than 24hours time or event do not use it and force user to type login and password every time access token expires?
Currently its fixed at 24 hours.
You could switch to implicit flow here to achieve this.
we are looking for some advice on how to use an access token within a long running background process that exceeds the token expiry. We are using Keycloak with OpenId Connect and we would like to stick to the standard. Maybe bend it a little bit, if necessary, but not overthrow it.
Use-Case:
User calls a service with his access token. The service starts a long running background process that calls other services. The access token is being sent to the other services in order to authorize the request and relate the action to the user (e.g. "changed by"). The background process may take days or even weeks.
Any ideas? Thanks in advance!
You need refresh token with offline_access scope. Such refresh token never expires and is used to get new access token when the old one expires.
To get refresh token with offline_access from KeyCloak user needs to have offline_access role and you should add "offline_access" to requested scopes.
More on this: https://stackoverflow.com/a/30638344/1540748
Another option is Client Credentials flow, but than you don't have user data in token.
Say I generated an authentication token on rackspace, and use it for a session login.
Now, for security reason I want to invalidate/revoke that token before the expiry date manually, so that on each new session of the application I have a new token to be safe.
Note: There is only one session at any given time.
I read the rackspace API docs. And it says that: the token's default lifespan is 24 hours. But that is too long. Can I set the expiration time manually?
The doc page at: http://docs.rackspace.com/cdns/api/v1.0/cdns-devguide/content/Authentication-d1e647.html
says that: A token may be manually revoked before the time identified by the expires attribute. So I started searching more but no luck.
There was this question on setting the expiration time manually for the token
https://community.rackspace.com/developers/f/7/t/669
and it say that there is no way to set it manually now.
I think revoking the token is possible currently, but I can't find any way for it, I just wanted to make sure I didn't miss something in the docs.
You should be able to revoke a token by sending a DELETE call to the identity endpoint: https://identity.api.rackspacecloud.com/v2.0/tokens/{tokenId}. It's documented in the identity service guide:
http://docs.rackspace.com/auth/api/v2.0/auth-client-devguide/content/DELETE_revokeToken_v2.0_tokens__tokenId__Token_Calls.html