Tokens & sessions
These settings control how long credentials and sessions stay valid — the trade-off between convenience and the window a stolen token or session is usable.
Access-token lifespan
Section titled “Access-token lifespan”How long an issued access token is accepted.
- Recommended: short — 300 seconds (5 min), the default. Use refresh tokens for longevity.
- Ask the assistant: “Set the access-token lifespan to 5 minutes for acme-prod.”
- Keycloak: Realm settings → Tokens → Access Token Lifespan.
SSO session timeouts
Section titled “SSO session timeouts”- Idle timeout — session ends after this much inactivity. Recommended: 30 min (default).
- Max lifespan — hard cap regardless of activity. Recommended: 10 hours or less.
- Ask the assistant: “Set the SSO idle timeout to 30 minutes for acme-prod.”
- Keycloak: Realm settings → Sessions.
Keep idle timeouts short for pools accessed on shared or unattended devices.
Refresh-token rotation
Section titled “Refresh-token rotation”Whether a refresh token is invalidated when it’s used (rotation).
- Recommended: on — enable Revoke refresh token with a small max-reuse. A leaked refresh token is then invalidated the next time the legitimate client rotates it.
- Ask the assistant: “Turn on refresh-token rotation for acme-prod.”
- Keycloak: Realm settings → Tokens → Revoke Refresh Token.