KEYCLOAK-1267 add a separate sso_max_lifespan parameter for remember me#2338
KEYCLOAK-1267 add a separate sso_max_lifespan parameter for remember me#2338cfsnyder wants to merge 1 commit intokeycloak:masterfrom
Conversation
|
DO NOT MERGE UNTIL 1.9.x IS CREATED |
|
This doesn't address KEYCLOAK-1267. The main issue with KEYCLOAK-1267 is that the session times out due to the idle (SSO Session Idle Timeout), not that the session reaches maximum length. I actually disagree that we need a max session time. The max session time has nothing to do with whether or not the user has selected the remember me option or not. It's the maximum time an admin is willing to let a session last. I'm going to reject this PR as it doesn't resolve the issue, but just brings additional unessecarry complexity. The correct solution to KEYCLOAK-1267 is to introduce an option (should be enabled by default) to ignore SSO Session Idle Timeout if remember me is selected. If you disagree to this please bring it up on the Keycloak developer mailing list. |
Previosuly remember-me sessions where tied to the SSO max session timeout which could lead to unexpected early session timeouts. We now allow SSO timeouts to be configured separately for sessions with enabled remember-me. This enables users to opt-in for longer session timeouts. SSO Session Timeouts for RememberMe can now be configured in the tokens tab in the realm admin console. Max SSO timeouts for Remember-me need to be equal or greater than normal max SSO timeouts. Note that most of the work for this PR was done by @cfsnyder and is based on his earlier PR keycloak#2338. I just adapted his code to the latest Keycloak API changes. Signed-off-by: Thomas Darimont <[email protected]>
This PR adds a new realm configuration option for the SSO max lifespan when the remember me option is set. Addresses this issue: https://issues.jboss.org/browse/KEYCLOAK-1267 .