I have a Spring MVC web app with Spring Security using Keycloak v24.0.2 and Spring Boot v3.2.4. In Keycloak I set up parameters "SSO Session Idle" and "Access Token Lifespan" to 1 minute, but a session still doesn't expire after user being idle during 1 minute. I expect redirection to login screen after being idle this time. What is wrong with my setting? Below is my configuration.
build.gradle
dependencies {
...
implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'org.springframework.boot:spring-boot-starter-security'
implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
...
}
application.yaml
...
spring:
security:
oauth2:
client:
registration:
keycloak:
client-id: local-client
client-secret: [my-client-secret]
scope: openid
provider:
keycloak:
issuer-uri: http://localhost:8180/realms/local-realm
user-name-attribute: preferred_username
...
MySecurityConfig.java
@Configuration
@EnableWebSecurity
public class MySecurityConfig {
@Bean
public SecurityFilterChain configure(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(auth -> auth
.anyRequest()
.fullyAuthenticated())
.oauth2Login(Customizer.withDefaults())
.logout(logout -> logout
.logoutSuccessHandler(oidcLogoutSuccessHandler())
.permitAll());
return http.build();
}
OidcClientInitiatedLogoutSuccessHandler oidcLogoutSuccessHandler() {
OidcClientInitiatedLogoutSuccessHandler successHandler =
new OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository);
successHandler.setPostLogoutRedirectUri("{baseUrl}");
return successHandler;
}
}
Keycloak > local-realm > Realm settings > Sessions
Keycloak > local-realm > Realm settings > Tokens
