Keycloak session and token timeouts

Question

I am developing an application with Keycloak as the authN service.

I would like to configure my application so that an access token has a 5 minute validity, a user will be logged out after 14 days of inactivity, and a user can remained logged on indefinitely as long as there is activity at least every 14 days.

In my realm settings, under "Access Token Lifespan" I have 5 minutes. In the Sessions tab, the SSO Session Idle is set to 14 days. In the same tab, the SSO Session Max is set to 9999 days.

When I log in with the password grant, I get an access token with an expiration 9999 days away and an refresh token with an expiration 9999 days away. I expected an access token with an expiration 5 minutes out and a refresh token with an expiration 14 days out.

What did I do wrong?

Answer 1

When I log in with the password grant, I get an access token with an expiration 9999 days away and an refresh token with an expiration 9999 days away. I expected an access token with an expiration 5 minutes out and a refresh token with an expiration 14 days out.

Your expectation is correct; more details on why can be read here.

It seems to be some kind of bug (overflow maybe?!) on the Keycloak side. If you used 999 days instead of 9999 days, the access token will be 5 minutes and the refresh token will be 14 days has you expected.

From my tests on Keycloak 18 you can go until 5419 days without any problem.

Today is 19/03/2023 and 5420 days from now is 19/01/2038 so basically seems to me to be a manifestation of the Year 2038 Problem.