Questions about session timeouts

By: Steve Sobol user 07 May 2022 at 4:27 p.m. CDT

3 Responses
Steve Sobol gravatar
I'm setting up OpenID Connect. I've switched to Gluu from Keycloak, which I was never able to get working 100% correctly. Keycloak has a bunch of features I don't need, like multi-tenancy, but I did like the ability to set different timeout values for each client. I would like to be able to do that with Gluu. The first question I have is how to set up the following: * I want the user's session to end if he doesn't log in for 14 days * I want the user's session to end after 30 days, regardless of whether he's logging in. I've looked at oxauth.xml, but I'm not sure what I have to change. And... can I have different timeouts for different clients? Thanks --Steve
Gluu 4.3 Ubuntu 20.04
closed

Answers

By Michael Schwartz Account Admin 07 May 2022 at 10:13 p.m. CDT

Copy
Michael Schwartz gravatar
You are mis-understanding the concept of "session". The session is a cookie in the browser that is tracked by the OpenID Provider ("OP"). It is not specific to any client. Each application has its own "application session." I would tweak this directly in your application. If the application session is timed out, the application will display the login button. Now, if a session exists for that user at the OP, the browser redirect will skip the authn/authz phase and just return the code to the website (i.e. "client" or "RP"). If you want to force authn from this client, use the [OpenID Connect Authn Request param](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) `prompt=login`.

By Steve Sobol user 07 May 2022 at 10:57 p.m. CDT

Copy
Steve Sobol gravatar
Michael, I think I misused the word "session." The protocol specifies several different response types. My client can request a code, token, or id_token or a combination of the three, according to the OIDC specs (and Gluu's own API docs) - and I was actually asking about the lifetime of the code or token. I understand that browser sessions are a completely different piece of the puzzle. This is my first time setting up SSO, and I'm not all that familiar with OIDC, so please do not hesitate to correct me if necessary.

By Michael Schwartz Account Admin 09 May 2022 at 12:57 p.m. CDT

Copy
Michael Schwartz gravatar
The code is one-time use--so it expires as soon as it's presented. Token lifetime is configurable at the system level. There are several types of tokens: access_tokens (which are presented to an API); id_tokens (which is a JWT identity assertion that contains the detail of the authentication event); Userinfo tokens (a JWT that contains user claims). Search the oxAuth JSON properties for "lifetime" or "expiration" and you'll turn up some of the system configurations. Also, the client config may enable you to override some expirations.

Post an answer