Keycloak: Can I set the expiry of a token per client/user/role?

27
votes

I'm currently setting up Keycloak to offer protection for some services. There will be both external customers and internal services consuming the same endpoints on my services.

Can I set the token expiry on a user or role or client level, or use a mix of tokens and Basic auth?

3
keycloak
I need exactly this (particularly to set different expiration times based on client basis). Did you finally achieve it? Cheers.jbernal
I do not see from keycloak admin console how this is possible. Is there any keycloak guru out there that knows whether it is possible? In my case we are using 4.0.0 Final.mtsahakis
There is surely a need for service user accounts. Eg. TV panels displaying a webpageYuri

3 Answers

38
votes

It is possible to configure a different lifespan for access tokens on a per client basis. In Keycloak admin console go to a client settings page and expand the "Advanced Settings" section.
This screenshot is taken from Keycloak 4.8.1.Final.

enter image description here

EDIT: Be aware that is override is applied to Authorization Code Flow only. The access token lifespan for Implicit Flow can still (Keycloak 7.0.0) be set on realm level only!

EDIT: Since Keycloak 10.0.0 it is also possible to override session idle and session max timeout per client.

enter image description here

8
votes

enter image description here

It can be done on realm only, correctly mentioned by @maslick as Keycloak do SSO and expects multiple clients in one realm.

Although, you can code accordingly in your application picking the Keycloak session if you need it to be custom.

0
votes

Unfortunately, token expiration time can be set on a per-realm basis only.