RTR Configuration on Eureka

Overview

There are several settings related to tokens, session timeouts, etc. in keycloak. These need to be set appropriately in order for RTR to work as expected on Eureka.

Prerequisites

  • Access to the Keycloak admin console

    • These settings can be made via API, but that’s outside the scope of this document for now.

  • Tenant Id(s)

  • Credentials for at least one user in each tenant (for testing purposes)

Configuration

  1. Log into the admin console for the target cluster. Typically the URL is something like: https://keycloak-<clusterId>.int.aws.folio.org.

  2. Select the target tenant from the realm drop-down in the top left corner.

  3. Select “Realm Settings” in the left hand nav pane, then the “Token” tab

  4. Under “Refresh tokens”:

    1. Enable “Revoke Refresh Tokens

    2. Set “Refresh Token Max Reuse” to 0. This is key to the “rotation” part of Refresh Token Rotation (RTR).

  5. Under “Access Tokens”:

    1. Set “Access Token Lifespan” to 10 minutes - this can be adjusted based on customer requirements.

  6. Click “Save”.

  7. Change to the “Sessions” tab

    1. For these next 4 settings, there’s somewhat complicated logic around determining what the RT TTL is, but keeping the values the same for all 4 settings makes it easy to figure out.

    2. These settings can be adjusted per customer requirements, but it’s easiest if a single value is used for all 4.

    3. These values must be > the “Access Token Lifespan” specified in step 5.

    4. For an explanation of the logic, see How to specify refresh tokens lifespan in Keycloak for details on the logic.

  8. Under “SSO Session Settings”:

    1. Set “SSO Session Idle” to 1 hour

    2. Set “SSO Session Max” to 1 hour

  9. Under “Client Session Settings”:

    1. Set “Client Session Idle” to 1 hour

    2. Set “Client Session Max” to 1 hour

  10. Click “Save”.

  11. Test the changes

    1. In a new browser window/tab, goto your tenant-specific URL

    2. Open your browser’s network tools (e.g. F12 on PC)

    3. Enter a valid username and password

    4. In the network tools, find and select the “token” API call, and look at the response. You should see the access token and refresh token expirations. Verify that they look right based on your configuration.

      1. Tip: It may be helpful to note the “Date” header in the response, then use that to compare to the expirations returned in the response body. (See screenshots below).

Stripes Configuration

There are several configuration options in stripes (stripes-config.js) which control things like when warning dialogs are shown, etc.

See stripes.config.js properties for details.

Screenshots

 

rtr-1.png

 

rtr-2.png

 

 

Keywords

idle session timeout, fixed length session, RTR, refresh token rotation, Keycloak, Access Token, Refresh Token, AT, RT, TTL, Token TTL