New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add information about token expiry to events #28312
base: main
Are you sure you want to change the base?
Conversation
Closes keycloak#28311 Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
@stianst - I remember I heard from first some time ago that client might refresh their access tokens too often, even if they are still valid for quite some time. I want to add some additional information to the event to track this scenario, and also to help admins by deploying a ready-to-use event listener. I'd be happy to hear your thoughts on this. Thanks! |
Thanks for the pointer! I am also familiar with this situation from many customer deployments. I think these checks are very helpful in alerting teams to unfavorable client implementations at an early stage. However, I wonder whether this should really be a configurable event listener or rather a built-in check during token refresh. A warning such as premature token renewal detected could actually always be helpful, right? I only see a few situations where such warnings might be triggered despit being "legit":
So for some client's this might be acceptible behaviour for others it might not. Your implementation allows us to detect the general case, however can we also allow users to provide additional configuration to detect which client's refresh behaviour is legit and which one's is not? |
Thank you for the feedback. The event listener was the result of making it configurable via the UI (possibly per realm). So while the data is collected all the time and you are free to analyze it as you need, the event listener is one initial way to use that data. Depending on feedback, it might be enabled by default. A client that is too eager to refresh might benefit from a longer lifetime of the access tokens, and the warning will no longer be there. Eventually we could have a client attribute which suppresses the message. Not sure about a good naming for that attribute here - I am also looking for a good name for the event listener. Ideas are welcome. |
Updated PR description to contain some documentation-in-a-nutshell. |
@ahus1 I have read your PR, for my use case for example, it will be useful to be able to enable a specific event listener by configuration on one realm only. Like @thomasdarimont proposed, a client attribute (toggle) like |
Closes #28311
What this PR adds:
What a user can do:
Documentation and tests are is still missing.