Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Client Session Max isn't an exact override for SSO Session Max #21038

New issue
New issue
Closed as not planned
Closed as not planned
Client Session Max isn't an exact override for SSO Session Max#21038
Labels
area/oidcIndicates an issue on OIDC areakind/bugCategorizes a PR related to a bug
@arnotixe

Description

@arnotixe
arnotixe
opened on Jun 15, 2023

Before reporting an issue

  • I have searched existing issues
  • I have reproduced the issue with the latest release

Area

authentication

Describe the bug

GUESSING area is authentication, don't know for sure.
Related discussion is https://keycloak.discourse.group/t/keycloak-server-issuing-already-expired-tokens/15900/3

Reproduce:

  • Refresh tokens on
  • All SSO session values default.
  • Default SSO Session Max = 10 hours
    • my environment:
    • keycloak 21.0.2
    • next 13.1.6
    • next-auth 4.22.1

For a client, set

  • Accesstoken lifespan to 1 minute
  • Client Session Idle to 2 minutes
  • Client Session Max to 3 minutes (problem)

This works as expected: user can exchange tokens up to 3 minutes and the session maxes out. However, following calls to the {realm}/openid-connect/auth?xxx yields a 302 redirect back to the callback uri, and I get sent back for a refresh token -> access token exchange (which fails).

This situation persits until the SSO Session Max times out too. After that, calls from the client to {realm}/openid-connect/auth?xxx yields a 200 and the login page.

To test I've set SSO Session Max / Client Session Max to different values, and when Client Session Max is shorter than SSO Session max, the client still receives 302 responses to calls to /auth, until SSO Session Max times out.

Example:

  • client: Client Session Max to 3 minutes
  • realm: SSO Session Max to 6 minutes
    = after session maxes out, I cannot get to the SSO login page (just 302 redirects back to callback) between 3 and 6 minutes after first login. After the full 6 minutes (realm SSO Session Max) I get 200 from Keycloak, and the login page.

Version

21.0.2

Expected behavior

Expected same behavior from setting:

  • [Client:] Client Session Max to 3 minutes
  • [Realm:] SSO Session Max to 10 hours

as when setting

  • [Client:] Client Session Max to 10 hours
  • [Realm:] SSO Session Max to 3 minutes

Actual behavior

When Client Session Max is shorter than SSO Session max, the client still receives 302 responses to calls to /auth, until SSO Session Max times out

How to Reproduce?

Set Client Session Max shorter than SSO Session max and enable refresh tokens

Anything else?

I'm aware next-auth could be to blame and I may not know enough to tell the difference. But I think the problem lies in Keycloak since reversing settings by setting SSO Session Max to shorter than Client Session Max does not exhibit the same behavior.

It could be this is a configuration problem/me not understanding config options, but from the options descriptions it seems SSO Session Max should be overridable per-client by Client Session Max

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/oidcIndicates an issue on OIDC areakind/bugCategorizes a PR related to a bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions