Thanks to visit codestin.com
Credit goes to github.com

Skip to content

offlineSessionMaxLifespan and clientOfflineSessionMaxLifespan values still affect session lifetime regardless of offlineSessionMaxLifespanEnabled #15550

New issue
New issue
Closed as not planned
Closed as not planned
offlineSessionMaxLifespan and clientOfflineSessionMaxLifespan values still affect session lifetime regardless of offlineSessionMaxLifespanEnabled#15550
Assignees
rmartinc
Labels
area/authenticationIndicates an issue on Authentication areakind/bugCategorizes a PR related to a bug
@yoransabern

Description

@yoransabern
yoransabern
opened on Nov 17, 2022

Area

authentication

Describe the bug

We recently noticed on our keycloak v18 server that our offline sessions started expiring (before idle timeout) even though we have offlineSessionMaxLifespanEnabled set to false.

We noticed the values for clientOfflineSessionMaxLifespan and offlineSessionMaxLifespan were still set to a value greater than 0.
We can clearly see in the PUT auth/admin/realms/{realm-name} call that goes out when we use the save button in the administrator ui that these values do not get reset to 0 if the offlineSessionMaxLifespanEnabled is set to false.

We're experiencing the exact same problem with V20.0, however the only difference is that there's no way in the ui to change the clientOfflineSessionMaxLifespan value on realm level anymore. (if someone could shine a light on the differentce between those two and why its not in v20 anymore that would be great)

To me there seem to be two problems regarding this bug:

  1. The backend of keycloak should not be considering offlineSessionMaxLifespan or clientOfflineSessionMaxLifespan if offlineSessionMaxLifespanEnabled is set to false to invalidate sessions even if they have a value configured.
  2. The frontend needs to send value 0 for offlineSessionMaxLifespan and clientOfflineSessionMaxLifespan if offlineSessionMaxLifespanEnabled is false

Version

20.0.0

Expected behavior

  1. The backend of keycloak should not be considering offlineSessionMaxLifespan or clientOfflineSessionMaxLifespan if offlineSessionMaxLifespanEnabled is set to false to invalidate sessions even if they have a value configured.
  2. The frontend needs to send value 0 for offlineSessionMaxLifespan and clientOfflineSessionMaxLifespan if offlineSessionMaxLifespanEnabled is false

Actual behavior

  1. Offline sessions are expiring at the offlineSessionMaxLifespan and/or clientOfflineSessionMaxLifespan configured values even though offlineSessionMaxLifespanEnabled is false
  2. The frontend is sending the existing value for offlineSessionMaxLifespan and clientOfflineSessionMaxLifespan if offlineSessionMaxLifespanEnabled is false

How to Reproduce?

  1. Create a new realm
  2. Go to session configuration in the admin console
  3. Under Offline session settings set Offline Session Max Limited to true/on
  4. Set Offline Session Max to 1 minute
  5. Set Offline Session Idle to 90 Days (anything more than 1 works really)
  6. Save
  7. Under Offline session settings set Offline Session Max Limited to false/off
  8. Save
  9. Fetch a token using scope offline_access (ensure your user and client are configured to allow that)
  10. Attempt to use the refresh token from this response to fetch a new token after 1-5 minutes

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/authenticationIndicates an issue on Authentication areakind/bugCategorizes a PR related to a bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions