Page History
...
The following objects have to be in place with Keycloak to enable authentication from JOC Cockpit:
- Realm configuration,.
- Client configuration,
- User Accounts,
- Roles.
- Roles are used with the Identity Service Type
KEYCLOAK. Roles are not required when using the Identity Service TypeKEYCLOAK-JOC.
- Roles are used with the Identity Service Type
Realm
It is recommended to create a new realm and not to use the initial master realm.
If no Keycloak Realm is present then it can be added in Keycloak. The default settings are sufficient. The realm must be enabled.
Client
If no Keycloak Client is present then it can be added in Keycloak.
...
- Keycloak access tokens are created with the following restrictions:
- time to live (TTL):
- the access token will expire after the given period,
- the Identity Service renews the access token 60s 20s before expiration, this step is performed for an arbitrary number of renewals. This requires that the access token's TTL exceeds 60s and the Keycloak permission for permission for renewing a token by the token owner to be in place.
- maximum time to live:
- the access token's overall lifetime is limited, renewals cannot take place after the specified period.
- time to live (TTL):
- If an access token cannot be renewed by the Identity Service then the user session is terminated and the user is forced to login and to specify credentials.
- This happens in the event of the maximum TTL being exceeded or that the token has been revoked.
- Keycloak administrators should check for reasonable values of the TTL, maybe not less than 300s, and the maximum TTL, maybe at least 15 minutes, as otherwise users would have to repeatedly login quite frequently.
- The JOC Cockpit handles the idle timeout of user sessions independently of Keycloak, see JS7 - Identity Services.
- If the idle timeout is exceeded then the user session is terminated.
- The Identity Service can revoke the access token with the Keycloak server.
...
Overview
Content Tools