Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-2125

User Actions email link expires too early



    • Bug
    • Status: Closed
    • Major
    • Resolution: Rejected
    • None
    • None
    • None
    • None
      • Set login action timeout to a value higher than SSO Session Idle and SSO session max.
      • Wait until the SSO Session Idle or Max time has passed
      • The link should now be expired


      We have discovered a somewhat strange behavior with the User Action timeouts. We need to have a fairly long User Action timeout but the links provided in the emails to the users expire well before that time. After some digging around in the source code I think this is because both a user and a client session is created for the user action, but when the user session expires and is removed the client session is also removed with it. If we set the User Session SSO timeout to the same value it does indeed seem to work as expected.

      This seems unintentional and I can't really see why the user session is created at all in this case as it is not really used as far as I can tell (the client session id is used in the email link)? OTOH I am not sure why the client session is removed when the user session expires? Or have we completely misunderstood how this is supposed to work?

      Anyway, as it is you can't really have a User Action timeout that is longer than the SSO Session timeout.




            Unassigned Unassigned
            samme_jira Samuel Otter (Inactive)
            7 Vote for this issue
            5 Start watching this issue