SSO session and Access token lifespan

[natbronislavska]

Hello,

I've noticed that lifespan settings in example keycloak realms (like here: https://github.com/strimzi/strimzi-kafka-oauth/blob/main/examples/docker/keycloak/realms/demo-realm.json) are set to very high values.

Is there any reason behind the choice for those values ? Are those recommended settings?

[mstruk]

These examples are not for production setup and should not be considered as best practice in any way.
There is a tradeoff between token lifetime and the load on the authorization server. Token lifetime shorter than 5 minutes, for example may be too much unnecessary load.
The token lifetime should be considered in combination with the authorizer used. For example, the KeycloakAuthorizer periodically refreshes grants from Keycloak which means one can remove access by removing permissions from the user, even if the token itself is still valid.
For the example specifically, I use it sometimes to remote debug using breakpoints and short token lifetimes are disruptive to the debugging flow.