KEYCLOAK-1267 Add dedicated SSO timeouts for Remember-Me#3161
KEYCLOAK-1267 Add dedicated SSO timeouts for Remember-Me#3161thomasdarimont wants to merge 2 commits intokeycloak:masterfrom
Conversation
|
Awesome @thomasdarimont, thanks for following up and updating that one! |
08be42b to
b9a4ecc
Compare
stianst
left a comment
There was a problem hiding this comment.
Sorry that it took so long to get back to you on this one. Looks OK, but I've added a couple comments inline. We need 'ssoSessionIdleTimeoutRememberMe' as well. This gives more flexibility in how to configure things. For example remember me allows cookie to last 365 days, but still needs a user to use the session at least every 30 days, while a non-remember me session is 30 days and idle 1 day.
There was a problem hiding this comment.
Please don't introduce extra changeSet for a specific version, we only want one changeset per-version. Just append to existing changeSet element if there is one.
There was a problem hiding this comment.
Okay, I moved the changes to the current changelog.
There was a problem hiding this comment.
Would be simpler to allow null and use ssoSessionMaxLifespan if not specified. Having SQL in these files worries me for compatibility reasons (in general, I think this particular SQL is fine though).
Previosuly remember-me sessions where tied to the SSO max session timeout which could lead to unexpected early session timeouts. We now allow SSO timeouts to be configured separately for sessions with enabled remember-me. This enables users to opt-in for longer session timeouts. SSO Session Timeouts for RememberMe can now be configured in the tokens tab in the realm admin console. Max SSO timeouts for Remember-me need to be equal or greater than normal max SSO timeouts. Note that most of the work for this PR was done by @cfsnyder and is based on his earlier PR keycloak#2338. I just adapted his code to the latest Keycloak API changes. Signed-off-by: Thomas Darimont <[email protected]>
b9a4ecc to
8717142
Compare
We now allow to control the idle timeout for a SSO session created with "remember me". Modified the jpa-changelog according to discussions in keycloak#3161.
8717142 to
d18b899
Compare
There was a problem hiding this comment.
should the default be 1 hour or 10 hours (as in the examples above e.g.: basicauthrealm.json)?
There was a problem hiding this comment.
I'm not sure what a better default would be here...
| </addColumn> | ||
|
|
||
| <addColumn tableName="REALM"> | ||
| <column name="SSO_MAX_LIFESPAN_REMEMBER_ME" type="INT" defaultValueNumeric="36000"/> |
There was a problem hiding this comment.
set this to 10 hours by default - can anyone think of a better default?
There was a problem hiding this comment.
I don't like having a default for this. Rather values for remember me should be optional and it should use non-remember me values if not specified.
| boolean sessionMaxOk = (userSession.getStarted() + (userSession.isRememberMe() ? realm.getSsoSessionMaxLifespanRememberMe() : realm.getSsoSessionMaxLifespan())) > currentTime; | ||
| int maxRememberMeIdleSessionAge = userSession.getLastSessionRefresh() + realm.getSsoSessionIdleTimeoutRememberMe(); | ||
| int maxSsoSessionAge = userSession.getLastSessionRefresh() + realm.getSsoSessionIdleTimeout(); | ||
| boolean sessionIdleOk = (userSession.isRememberMe() && maxRememberMeIdleSessionAge > currentTime) || maxSsoSessionAge > currentTime; |
There was a problem hiding this comment.
Note that I now take into account the ssoSessionIdleTimeoutRememberMe
stianst
left a comment
There was a problem hiding this comment.
A few comments inline. In general I think it would be better to use non-remember me values by default and optionally allow setting different values for remember-me.
| "accessCodeLifespanUserAction": 300, | ||
| "ssoSessionIdleTimeout": 600, | ||
| "ssoSessionMaxLifespan": 36000, | ||
| "ssoSessionIdleTimeoutRememberMe": 36000, |
There was a problem hiding this comment.
Don't add to existing realm files. That should not be required.
| "accessCodeLifespanUserAction": 300, | ||
| "ssoSessionIdleTimeout": 600, | ||
| "ssoSessionMaxLifespan": 36000, | ||
| "ssoSessionIdleTimeoutRememberMe": 36000, |
There was a problem hiding this comment.
Don't add to existing realm files. That should not be required.
| "accessCodeLifespanUserAction": 300, | ||
| "ssoSessionIdleTimeout": 600, | ||
| "ssoSessionMaxLifespan": 36000, | ||
| "ssoSessionIdleTimeoutRememberMe": 36000, |
There was a problem hiding this comment.
Don't add to existing realm files. That should not be required.
| "accessCodeLifespanUserAction": 300, | ||
| "ssoSessionIdleTimeout": 600, | ||
| "ssoSessionMaxLifespan": 36000, | ||
| "ssoSessionIdleTimeoutRememberMe": 36000, |
There was a problem hiding this comment.
Don't add to existing realm files. That should not be required.
|
|
||
| <addColumn tableName="ADMIN_EVENT_ENTITY"> | ||
| <column name="RESOURCE_TYPE" type="VARCHAR(64)"></column> | ||
| <column name="RESOURCE_TYPE" type="VARCHAR(64)"/> |
There was a problem hiding this comment.
Don't change code that is not relevant to your changes
| .ssoSessionIdleTimeout(3000) | ||
| .accessTokenLifespan(10000) | ||
| .ssoSessionMaxLifespan(10000) | ||
| .ssoSessionMaxLifespanRememberMe(10000) |
There was a problem hiding this comment.
Shouldn't be required to set this in existing tests. This test has nothing to do with your changes.
| "registrationAllowed": true, | ||
| "resetPasswordAllowed": true, | ||
| "editUsernameAllowed" : true, | ||
| "rememberMe" : false, |
There was a problem hiding this comment.
Why are you changing this?
|
|
||
| public void loginToMasterRealmAdminConsoleAs(UserRepresentation user) { | ||
| loginToAdminConsoleAs(adminConsolePage, loginPage, user); | ||
| loginToAdminConsoleAs(adminConsolePage, loginPage, user, false); |
There was a problem hiding this comment.
I don't understand the point in adding this. This is not the correct place to test remember me.
| "accessTokenLifespanForImplicitFlow" : 900, | ||
| "ssoSessionIdleTimeout" : 2, | ||
| "ssoSessionMaxLifespan" : 36000, | ||
| "ssoSessionIdleTimeoutRememberMe" : 36000, |
There was a problem hiding this comment.
Please don't add to irrelevant tests
| testStrategy.testLoginSSOMax(); | ||
| } | ||
|
|
||
| @Test |
There was a problem hiding this comment.
Adapter tests are not the correct place to test this. Rather use LoginTest or something else from the base tests inside the new Arquillian testsuite. Please remove all changes to the adapter tests inside testsuite/integration
Previously remember-me sessions where tied to the SSO max session timeout which could lead to unexpected early session timeouts. We now allow SSO timeouts to be configured separately for sessions with enabled remember-me. This enables users to opt-in for longer session timeouts. SSO session timeouts for remember-me can now be configured in the tokens tab in the realm admin console. This new configuration is optional and will tipically host values larger than the regular max SSO timeouts. If no value is specified for remember-me timeouts then the regular max SSO timeouts will be used. Work based on PR keycloak#3161 by Thomas Darimont <[email protected]>
Previously remember-me sessions where tied to the SSO max session timeout which could lead to unexpected early session timeouts. We now allow SSO timeouts to be configured separately for sessions with enabled remember-me. This enables users to opt-in for longer session timeouts. SSO session timeouts for remember-me can now be configured in the tokens tab in the realm admin console. This new configuration is optional and will tipically host values larger than the regular max SSO timeouts. If no value is specified for remember-me timeouts then the regular max SSO timeouts will be used. Work based on PR #3161 by Thomas Darimont <[email protected]>
Previously remember-me sessions where tied to the SSO max session timeout which could lead to unexpected early session timeouts. We now allow SSO timeouts to be configured separately for sessions with enabled remember-me. This enables users to opt-in for longer session timeouts. SSO session timeouts for remember-me can now be configured in the tokens tab in the realm admin console. This new configuration is optional and will tipically host values larger than the regular max SSO timeouts. If no value is specified for remember-me timeouts then the regular max SSO timeouts will be used. Work based on PR keycloak#3161 by Thomas Darimont <[email protected]>
Previously remember-me sessions where tied to the SSO max session
timeout which could lead to unexpected early session timeouts.
We now allow SSO timeouts to be configured separately for sessions
with enabled remember-me.
This enables users to opt-in for longer session timeouts.
SSO Session Timeouts for RememberMe can now be configured in the
tokens tab in the realm admin console. Max SSO timeouts for Remember-me
need to be equal or greater than normal max SSO timeouts.
Note that most of the work for this PR was done by @cfsnyder and
is based on his earlier PR #2338.
I just adapted his code to the latest Keycloak API changes.
Signed-off-by: Thomas Darimont [email protected]