KEYCLOAK-17458 Add opportunity to refresh token in advance

[shkiltos]

Hey, guys! I've created a PR where updated keycloak js instance allows client to set a time value( in seconds ) that allows to refresh token N seconds before it expires. I believe this is really helpful in some cases(more details in jira ticket).
What do you guys think?

https://github.com/keycloak/keycloak/pull/7873
https://issues.redhat.com/browse/KEYCLOAK-17458

[Václav Muzikář]

Hi,

thank you for your contribution. Let's wait for other folks with deeper JS adapter knowledge than I have, but IMHO this is not a correct approach to how to prevent your app being logged out (if I correctly understand the problem). You can always call updateToken [1] before using that token to ensure it's fresh enough. This allows you to even refresh it in advance.

Vašek

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/4a7a6ef1-e891-4080-8910-cec6d432cfb0n%40googlegroups.com.

--

Václav Muzikář
Senior Software Engineer
Keycloak / Red Hat Single Sign-On
Red Hat Czech s.r.o.

[Václav Muzikář]

Sorry, I noticed I forgot to include the reference [1]. ;)

[1] https://github.com/keycloak/keycloak/blob/d2060913be47659b6448c934e508ae15432f3195/adapters/oidc/js/src/main/resources/keycloak.js#L620

[Marek Posolda]

+1 , added the comment to the PR in this regards https://github.com/keycloak/keycloak/pull/7873#issuecomment-803943974 .

Marek

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/CAMQSZyh0tTnMK_UX8tp0kOm0xWAp5uopjoam7TT4j3rc7Tgj4g%40mail.gmail.com.

[Stian Thorgersen]

+1 Not sure what this is achieving that can't already be done

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/c4eb13da-e2a0-9f26-5f94-a3ac6000ae76%40redhat.com.

[shkiltos]

Playing with minValidity doesn't help in my case.
Let me explain with the example:
Imagine we have a client. On client side I implement onTokenExpired() method, which should contain updateToken(-1) or updateToken(whatever). This logic will be executed when token expires, right?
But how does kc knows that token is expired? According to the code: onTokenExpired() is called inside of setToken(), which kinda schedules onTokenExpired()(which in turn will contain updateToken()) method to fire in ~20 minutes. 
There's no chance for me to reduce this 20 mins value as a client.
Workaround for me: not to implement the onTokenExpired() at all and schedule updateToken() myself, which looks bad (check screen attached)

With my change this will be much less code.

I just wanted to share my thoughts, but I believe you're more experienced in this, so if you think it's useless, I'm fine with what we have:)

Thanks 

понедельник, 22 марта 2021 г. в 13:39:44 UTC+3, stho...@redhat.com:

[Václav Muzikář]

If I understand it correctly (and it's possible I don't :)) it seems to me like you're trying to schedule a token refresh regardless of user interaction. I believe it should not be done like that as it's potentially a security vulnerability. This way a user session might never expire (well, maybe when it hits SSO max).

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/96a9947f-dd87-4583-a0db-0ba8b9fd6be6n%40googlegroups.com.

[shkiltos]

You're right. Hmm, probably this is an issue only in swagger, where you hit 'try it out' to reach some endpoint and if an expired token is sent, it firstly gets login html instead of response body(which looks weird) and only after another call to api refreshes token bc of users activity

понедельник, 22 марта 2021 г. в 15:35:20 UTC+3, vmuz...@redhat.com: