You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 3, 2023. It is now read-only.
Is your feature request related to a problem? Please describe.
The default value of autoRefreshToken is currently true on the ReactKeycloakProvider component. This was surprising to myself, and others I spoke with, since it would mean that it will keep an SSO session alive as long as a user has a tab/window open (and has a stable network connection) to a page that uses the ReactKeycloakProvider component where the default was not manually set to false via the autoRefreshToken property. For an app with no server-side user state, where the session times are not managed by the app server, this could extend login session liveliness times past what a developer intended.
Describe the solution you'd like
A more secure default would be false. Then include some instructions somewhere on strategies to refresh the token, like calling updateToken on any API call requiring authentication, prior to making the call. Another option is using something like react-idle-timer if the intent is to watch for client-side activity to keep the SSO session alive. Again, these strategies are geared more towards apps with no server-side managed session state, which are getting to be more common.
Describe alternatives you've considered
No matter what the default is, it would still be good to give instructions on alternative strategies for keeping tokens alive in this repo, and in code comments where it says changing this default is not recommended.
The text was updated successfully, but these errors were encountered:
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Is your feature request related to a problem? Please describe.
The default value of autoRefreshToken is currently
true
on theReactKeycloakProvider
component. This was surprising to myself, and others I spoke with, since it would mean that it will keep an SSO session alive as long as a user has a tab/window open (and has a stable network connection) to a page that uses theReactKeycloakProvider
component where the default was not manually set tofalse
via the autoRefreshToken property. For an app with no server-side user state, where the session times are not managed by the app server, this could extend login session liveliness times past what a developer intended.Describe the solution you'd like
A more secure default would be
false
. Then include some instructions somewhere on strategies to refresh the token, like calling updateToken on any API call requiring authentication, prior to making the call. Another option is using something like react-idle-timer if the intent is to watch for client-side activity to keep the SSO session alive. Again, these strategies are geared more towards apps with no server-side managed session state, which are getting to be more common.Describe alternatives you've considered
No matter what the default is, it would still be good to give instructions on alternative strategies for keeping tokens alive in this repo, and in code comments where it says changing this default is not recommended.
The text was updated successfully, but these errors were encountered: