Page MenuHomeSoftware Heritage

keycloak: Set SSO Session Idle to one week, Session Max to one month
ClosedPublic

Authored by anlambert on May 6 2021, 2:54 PM.

Details

Summary

It enables to extend an OpenID Connect refresh token expiration
from 30 minutes to one week.

It means a user does not have to login with his credentials again
during that idle period.

For instance when a user logged in into SWH Web Applications
using a browser, if he visits the website again during that
idle period he will remain connected to his authenticated
session.

Please note that it does not affect user permissions encoded in
OIDC access tokens that are renewed every 5 minutes.

15:40 $ bin/octocatalog-diff --octocatalog-diff-args --no-truncate-details -t staging kelvingrove.internal.softwareheritage.org
Found host kelvingrove.internal.softwareheritage.org
Cloning into '/tmp/swh-ocd.tRNPqiYk/environments/production/data/private'...
done.
Cloning into '/tmp/swh-ocd.tRNPqiYk/environments/staging/data/private'...
done.
*** Running octocatalog-diff on host kelvingrove.internal.softwareheritage.org
I, [2021-05-06T15:41:03.438354 #568859]  INFO -- : Catalogs compiled for kelvingrove.internal.softwareheritage.org
I, [2021-05-06T15:41:03.694366 #568859]  INFO -- : Diffs computed for kelvingrove.internal.softwareheritage.org
diff origin/production/kelvingrove.internal.softwareheritage.org current/kelvingrove.internal.softwareheritage.org
*******************************************
  Keycloak_realm[SoftwareHeritageStaging] =>
   parameters =>
     sso_session_idle_timeout =>
      + 604800
     sso_session_max_lifespan =>
      + 2592000
*******************************************
  Keycloak_realm[SoftwareHeritage] =>
   parameters =>
     sso_session_idle_timeout =>
      + 604800
     sso_session_max_lifespan =>
      + 2592000
*******************************************
  Keycloak_realm[master] =>
   parameters =>
     sso_session_idle_timeout =>
      + 604800
     sso_session_max_lifespan =>
      + 2592000
*******************************************
*** End octocatalog-diff on kelvingrove.internal.softwareheritage.org

Related to T3272

Diff Detail

Repository
rSPSITE puppet-swh-site
Branch
staging
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 21339
Build 33141: arc lint + arc unit

Event Timeline

This revision is now accepted and ready to land.May 6 2021, 2:57 PM

Why 6 hours and not, say, 1 week or even 1 month?
It is very common these days to remain connected for that long, and the UX in having to relogin often is a lot worse.

In D5704#144807, @zack wrote:

Why 6 hours and not, say, 1 week or even 1 month?
It is very common these days to remain connected for that long, and the UX in having to relogin often is a lot worse.

You are right, let's go for one week then.

Update:

  • Set SSO Session Idle to one week
  • Set SSO Session Max to one month
This revision is now accepted and ready to land.May 6 2021, 3:39 PM
anlambert retitled this revision from keycloak: Set SSO Session Idle to 6 hours to keycloak: Set SSO Session Idle to one week, Session Max to one month.May 6 2021, 3:41 PM
anlambert edited the summary of this revision. (Show Details)