Session and token timeouts

Keycloak includes control of the session, cookie, and token timeouts through the Sessions and Tokens tabs in the Realm settings menu.

Sessions tab

Sessions Tab

Configuration	Description
SSO Session Idle	This setting is for OIDC clients only. If a user is inactive for longer than this timeout, the user session is invalidated. This timeout value resets when clients request authentication or send a refresh token request. Keycloak adds a window of time to the idle timeout before the session invalidation takes effect. See the note later in this section.
SSO Session Max	The maximum time before a user session expires.
SSO Session Idle Remember Me	This setting is similar to the standard SSO Session Idle configuration but specific to logins with Remember Me enabled. Users can specify longer session idle timeouts when they click Remember Me when logging in. This setting is an optional configuration and, if its value is not greater than zero, it uses the same idle timeout as the SSO Session Idle configuration.
SSO Session Max Remember Me	This setting is similar to the standard SSO Session Max but specific to Remember Me logins. Users can specify longer sessions when they click Remember Me when logging in. This setting is an optional configuration and, if its value is not greater than zero, it uses the same session lifespan as the SSO Session Max configuration.
Client Session Idle	If the user is inactive for longer than this timeout, refresh token requests bump the idle timeout. This setting specifies a shorter idle timeout of refresh tokens than the session idle timeout, but users can override it for individual clients. This setting is an optional configuration and, when set to zero, uses the same idle timeout in the SSO Session Idle configuration.
Client Session Max	The maximum time before a refresh token expires and invalidates. This setting specifies a shorter timeout of refresh tokens than the session timeout, but users can override it for individual clients. This setting is an optional configuration and, when set to zero, uses the same idle timeout in the SSO Session Max configuration.
Offline Session Idle	This setting is for offline access. The amount of time the session remains idle before Keycloak revokes its offline token. Keycloak adds a window of time to the idle timeout before the session invalidation takes effect. See the note later in this section.
Offline Session Max Limited	This setting is for offline access. If this flag is ON, Offline Session Max can control the maximum time the offline token remains active, regardless of user activity. Client Offline Session Idle and Client Offline Session Max are enabled.
Offline Session Max	This setting is for offline access, and it is the maximum time before Keycloak revokes the corresponding offline token. This option controls the maximum amount of time the offline token remains active, regardless of user activity.
Login timeout	The total time a logging in must take. If authentication takes longer than this time, the user must start the authentication process again.
Login action timeout	The Maximum time users can spend on any one page during the authentication process.

Configuration

Description

SSO Session Idle

This setting is for OIDC clients only. If a user is inactive for longer than this timeout, the user session is invalidated. This timeout value resets when clients request authentication or send a refresh token request. Keycloak adds a window of time to the idle timeout before the session invalidation takes effect. See the note later in this section.

SSO Session Max

The maximum time before a user session expires.

SSO Session Idle Remember Me

This setting is similar to the standard SSO Session Idle configuration but specific to logins with Remember Me enabled. Users can specify longer session idle timeouts when they click Remember Me when logging in. This setting is an optional configuration and, if its value is not greater than zero, it uses the same idle timeout as the SSO Session Idle configuration.

SSO Session Max Remember Me

This setting is similar to the standard SSO Session Max but specific to Remember Me logins. Users can specify longer sessions when they click Remember Me when logging in. This setting is an optional configuration and, if its value is not greater than zero, it uses the same session lifespan as the SSO Session Max configuration.

Client Session Idle

If the user is inactive for longer than this timeout, refresh token requests bump the idle timeout. This setting specifies a shorter idle timeout of refresh tokens than the session idle timeout, but users can override it for individual clients. This setting is an optional configuration and, when set to zero, uses the same idle timeout in the SSO Session Idle configuration.

Client Session Max

The maximum time before a refresh token expires and invalidates. This setting specifies a shorter timeout of refresh tokens than the session timeout, but users can override it for individual clients. This setting is an optional configuration and, when set to zero, uses the same idle timeout in the SSO Session Max configuration.

Offline Session Idle

This setting is for offline access. The amount of time the session remains idle before Keycloak revokes its offline token. Keycloak adds a window of time to the idle timeout before the session invalidation takes effect. See the note later in this section.

Offline Session Max Limited

This setting is for offline access. If this flag is ON, Offline Session Max can control the maximum time the offline token remains active, regardless of user activity. Client Offline Session Idle and Client Offline Session Max are enabled.

Offline Session Max

This setting is for offline access, and it is the maximum time before Keycloak revokes the corresponding offline token. This option controls the maximum amount of time the offline token remains active, regardless of user activity.

The total time a logging in must take. If authentication takes longer than this time, the user must start the authentication process again.

The Maximum time users can spend on any one page during the authentication process.

Tokens tab

Tokens Tab

Configuration	Description
Default Signature Algorithm	The default algorithm used to assign tokens for the realm.
Revoke Refresh Token	When Enabled, Keycloak revokes refresh tokens and issues another token that the client must use. This action applies to OIDC clients performing the refresh token flow.
Access Token Lifespan	When Keycloak creates an OIDC access token, this value controls the lifetime of the token.
Access Token Lifespan For Implicit Flow	With the Implicit Flow, Keycloak does not provide a refresh token. A separate timeout exists for access tokens created by the Implicit Flow.
Client login timeout	The maximum time before clients must finish the Authorization Code Flow in OIDC.
User-Initiated Action Lifespan	The maximum time before a user’s action permission expires. Keep this value short because users generally react to self-created actions quickly.
Default Admin-Initiated Action Lifespan	The maximum time before an action permission sent to a user by an administrator expires. Keep this value long to allow administrators to send e-mails to offline users. An administrator can override the default timeout before issuing the token.
Email Verification	Specifies independent timeout for email verification.
IdP account email verification	Specifies independent timeout for IdP account email verification.
Forgot password	Specifies independent timeout for forgot password.
Execute actions	Specifies independent timeout for execute actions.

Configuration

Description

Default Signature Algorithm

The default algorithm used to assign tokens for the realm.

Revoke Refresh Token

When Enabled, Keycloak revokes refresh tokens and issues another token that the client must use. This action applies to OIDC clients performing the refresh token flow.

Access Token Lifespan

When Keycloak creates an OIDC access token, this value controls the lifetime of the token.

Access Token Lifespan For Implicit Flow

With the Implicit Flow, Keycloak does not provide a refresh token. A separate timeout exists for access tokens created by the Implicit Flow.

Client login timeout

The maximum time before clients must finish the Authorization Code Flow in OIDC.

User-Initiated Action Lifespan

The maximum time before a user’s action permission expires. Keep this value short because users generally react to self-created actions quickly.

Default Admin-Initiated Action Lifespan

The maximum time before an action permission sent to a user by an administrator expires. Keep this value long to allow administrators to send e-mails to offline users. An administrator can override the default timeout before issuing the token.

Email Verification

Specifies independent timeout for email verification.

IdP account email verification

Specifies independent timeout for IdP account email verification.

Forgot password

Specifies independent timeout for forgot password.

Execute actions

Specifies independent timeout for execute actions.

For idle timeouts, a two-minute window of time exists that the session is active. For example, when you have the timeout set to 30 minutes, it will be 32 minutes before the session expires.

This action is necessary for some scenarios in cluster and cross-data center environments where the token refreshes on one cluster node a short time before the expiration and the other cluster nodes incorrectly consider the session as expired because they have not yet received the message about a successful refresh from the refreshing node.