[
https://issues.apache.org/jira/browse/NIFI-4890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17621343#comment-17621343
]
John Browne commented on NIFI-4890:
-----------------------------------
Just a followup to this.
I ended up doing some additional testing with the settings in Keycloak. The
relevant settings are:
*Realm Global Settings:*
Configure / Realm Settings / Tokens / SSO Session Max (default 10 hours)
Configure / Realm Settings / Tokens / Access Token Lifespan (default 5 minutes)
*Realm Client Specific Settings:*
Configure / Clients / (client name) / Settings / Advanced Settings / Access
Token Lifespan (defaults to null, inherits the global Access Token value)
The realm-specific "Access Token Lifespan", if null, defaults to the realm
global "Access Token Lifespan" which defaults to 5 minutes.
{color:#172b4d}This matches the behavior we are seeing.{color} (on) So I first
tried changing it to 24 hours, examined the token on jwt.io, and noticed it was
10 hours instead of 24. So it appears it does not let you increase it past the
realm global "SSO Session Max", which defaults to 10 hours.
There is also a realm client specific setting called "Client Session Max" but
it appears the realm global "SSO Session Max" still overrides this value.
Bottom line, you can increase the Access Token Lifespan in the +realm client
specific settings+ up to 10 hours. If you want it to be longer than that you
likely will have to change the "SSO Session Max" value in the {+}realm global
settings{+}.
Still testing, but it's been a-couple hours now and I haven't had any timeouts
yet.
> OIDC Token Refresh is not done correctly
> ----------------------------------------
>
> Key: NIFI-4890
> URL: https://issues.apache.org/jira/browse/NIFI-4890
> Project: Apache NiFi
> Issue Type: Bug
> Components: Core UI
> Affects Versions: 1.5.0
> Environment: Environment:
> Browser: Chrome / Firefox
> Configuration of NiFi:
> - SSL certificate for the server (no client auth)
> - OIDC configuration including end_session_endpoint (see the link
> https://auth.s.orchestracities.com/auth/realms/default/.well-known/openid-configuration)
>
> Reporter: Federico Michele Facca
> Assignee: David Handermann
> Priority: Major
> Attachments: image-2022-10-20-12-23-38-675.png
>
>
> It looks like the NIFI UI is not refreshing the OIDC token in background, and
> because of that, when the token expires, tells you that your session is
> expired. and you need to refresh the page, to get a new token.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
