SSO Idle Timeout / Auto-Refresh pages - how do you handle this?

[Björn Eickvonder]

Hi,

I have a single page application using the Keycloak Javascript adapter. Now I have various dialogs in my application where an auto-refresh is implemented, i.e. data is reloaded after 30 seconds.

This means that automatically after 5 minutes the refresh token is used to get a new access token, so as long as the user stays on this dialog the SSO Idle timeout doesn't have any effect, only SSO Max Timeout will log the user out after 10 hours.

How do you handle these cases?

- Keep it as it, i.e. user idle timeout is not used?

- Implement some magic in the client that the browser knows when the user is active or not?

Björn

[Tony Harris]

Personally I hate this approach but one of our web apps uses a worker thread in the browser that just calls a NOP endpoint every 5 minutes that refreshes the access token.

None of the other endpoints perform token refresh.

Others may not like my preferred approach of passing the X-Requested-With header as XMLHttpRequest and then dealing with the 401 response and having a common handler that refreshes the token, but at least it allows a natural session idle timeout to occur and logout the application.

For me it comes down to what is important, allow the user to be logged in and idle for hours or an application that logs out automatically after a period of pre-determined idle time.

Tony

--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/e7c23bbe-4627-4c62-8eaf-8ed41ca4252fn%40googlegroups.com.