-1

I am referencing following tutorials to combine Keycloak OAuth2 and Spring Boot+Spring Gateway+Spring Security+Spring Session to save http session in Redis:

I would like to control idle timeout of login users. If login users operate anything in this idle period, they will always keep login status.

I find there are 2 settings I could configure:

  • Keycloak SSO Session Idle Time on Keycloak UI
  • Spring Session Timeout in Spring boot application.yml

enter image description here

enter image description here

After user login my website through Spring Gateway, I checked TTL in Redis and always see it is always the same with Spring Session Timeout, which seems Keycloak SSO Session Idle Time does not work. enter image description here

So that users will redirect to Keycloak after 30 mins idle time when accessing exposed Spring Gateway endpoints, and then automatically re-login Keycloak again, and finally redirect back to Spring Gateway. Although users could continue on my website after 30 mins idle time, they still need to redirect to Keycloak first to complete re-login process.

From my understanding, the 30 mins mentioned above is only related with Spring Session Timeout right ? Keycloak SSO Session Idle Time has no impact here. Pls corerct me if any error.

Improve this question

1 Answer 1

Reset to default
3

Each user has two distinct sessions in your system: one on Keycloak and a different one on your BFF.

These sessions live independently of each other.

What you configure as SSO session timeout in Keycloak influences only the Keycloak session, not the BFF one. It has an impact on what happens when the user is redirected to Keycloak (because the BFF session is not authorized or the refresh token has expired). But it changes nothing to how the BFF behaves.

Improve this answer
4
  • Thank you for the great tutorials on OAuth2 and BFF ! Ok I get it. Just curious how did you usually process this case ? Do we need to increase Spring Gateway Session timeout (BFF Session timeout) manually to avoid frequent logout of Spring Session ? In the tutorial, I just saw Schedule a refresh() call just before the access token expires (keep the session alive). in 6.2. User Service. Are you using refresh() on Frontend to keep the session alive ? Thank you !
    – zhfkt
    Commented Jun 10 at 14:11
  • Yes, I have the frontend use the refressh() method.
    – ch4mp
    Commented Jun 10 at 15:30
  • Ok. I think we are not able to invoke refresh on the Frontend if Browsers are closed, and the Spring Gateway Session will expire as well on your side. So you will also meet with this issue which BFF Session will expire in 30 mins, since Spring Session Timeout is fixed to 30 mins in default - stackoverflow.com/questions/32501541/…
    – zhfkt
    Commented Jun 10 at 16:06
  • 1
    It seems to me that it is a desirable feature: the session is kept alive only if the browser tab is kept open. If the tab is closed and the BFF session idle timeout is reached, then the session is closed. Just configure what you want as session timeout.
    – ch4mp
    Commented Jun 10 at 16:19

Not the answer you're looking for? Browse other questions tagged or ask your own question.