Transient sessions: How to enable them ?

623 views
Skip to first unread message

Olivier Masseau

unread,
Mar 23, 2023, 2:25:56 PM3/23/23
to Keycloak User
In the docs there is this section:

Transient sessions

You can conduct transient sessions in Keycloak. When using transient sessions, Keycloak does not create a user session after successful authentication. Keycloak creates a temporary, transient session for the scope of the current request that successfully authenticates the user. Keycloak can run protocol mappers using transient sessions after authentication.

During transient sessions, the client application cannot refresh tokens, introspect tokens, or validate a specific session. Sometimes these actions are unnecessary, so you can avoid the additional resource use of persisting user sessions. This session saves performance, memory, and network communication (in cluster and cross-data center environments) resources.


Question: Ok, the documentation describes what is a transient session, but how do I enable transient sessions in Keycloak for a given client ?

Can the client asking for a token specify through the API call that it wants a transient session (in case he does not need to later call refresh, introspection or validation endpoints) ?

Björn Eickvonder

unread,
Mar 23, 2023, 9:00:54 PM3/23/23
to Keycloak User

https://www.janua.fr/transient-sessions-in-keycloak/

Thomas Darimont

unread,
Mar 24, 2023, 3:48:38 AM3/24/23
to Keycloak User
Hello,

Transient Sessions were introduced as a feature for clients which use the client_credentials grant. For clients with service-accounts enabled, 
transient sessions can be enabled by selecting "use refresh token: off" in the advanced openid connect options of the client.

Transient Session usage for arbitrary clients can be used with the "hack" from the link with a custom authenticator that sets the client session note:
     context.getAuthenticationSession().setClientNote(AuthenticationManager.USER_SESSION_PERSISTENT_STATE, UserSessionModel.SessionPersistenceState.TRANSIENT.toString());
however, this is IMHO not officially supported and might break things. 

If support for this is necessary, then I recommend to open a discussion for a feature request here: https://github.com/keycloak/keycloak/discussions

Cheers,
Thomas
Reply all
Reply to author
Forward
0 new messages