Access/Refresh token times when using OIDC authentication and Keycloak

[davideshay]

I am using the latest version of Envoy Gateway (1.5.0) and the most current version of Keycloak (26.3.2). I am using OIDC authentication and this is all working.

Compared to my prior solution using nginx-ingress and oauth2-proxy, this approach seems to be causing me to login to Keycloak far more frequently.

I am trying to figure out exactly what settings in keycloak actually affect the cookies and expiration times of the tokens included. I am using the refreshToken: true setting.

Right now, for instance, in Keycloak I have the oauth client setting for access token lifespan to be 1 day, and the OauthHMAC-xxxx key expires in 24 hours, as does the accessToken-xxxx cookies. The refresh token, however, has a 30 minute expiration time. The only thing I can see that is 30 minutes is in the Realm settings, the sessions tab, the SSO idle setting is 30 minutes. I have an SSO Session Max of 7 days, and an offline session idle time of 30 days.

It's very difficult to tell at this point what setting in keycloak is actually driving the JWT / cookie expiration times, and more importantly how to achieve longer times between requested logins. Normally, I would expect the access token to have a short refresh (like the 30 minute range) and then the refresh token could be longer, maybe even a week or so. What would I set in Keycloak to achieve this (I don't think there is anything to control on the Envoy side?)

[davideshay]

Figured it out. Guess I'll leave this links here for prosperity if anyone else has the same questions:

https://stackoverflow.com/questions/38114832/keycloak-can-i-set-the-expiry-of-a-token-per-client-user-role

https://stackoverflow.com/questions/52040265/how-to-specify-refresh-tokens-lifespan-in-keycloak/67624190#67624190

Ultimately, I ended up setting the realm setting SSO Session Idle and Session Max to 7 days, and the client Access Token Lifespan to 2 hours. It seems to be working correctly now.