Change the Keycloak Token Lifetime

This document outlines how to change the Keycloak default token lifetime or the token lifetime for a specific client.

Note: The default value for these settings is 365 days.

Procedure

Log in to Keycloak with the default admin credentials.

Point a browser at https://auth.cmn.SYSTEM_DOMAIN_NAME/keycloak/admin, replacing SYSTEM_DOMAIN_NAME with the actual NCN’s DNS name. Use of the auth.cmn. sub-domain is required for administrative access to Keycloak.

The following is an example URL for a system: https://auth.cmn.system1.us.cray.com/keycloak/admin

Use the following admin login credentials:

  • Username: admin
  • The password can be obtained with the following command:
kubectl get secret -n services keycloak-master-admin-auth \
        --template={{.data.password}} | base64 --decode

Change Global Token Lifetime Values

  1. Select Realm Settings under Configure on the left of the admin page.
  2. Select the Tokens tab.
  3. Change the following options to the appropriate lifetime values:
    • SSO Session Idle
    • SSO Session Max
    • Access Token Lifespan
    • Access Token Lifespan for Implicit Flow
  4. Click Save at the bottom of the page.

Global Token Lifetime Options

Change A Specific Client’s Token Lifetime

  1. Select Clients under Configure on the left of the admin page.
  2. Select the client that you wish to change the token lifetime for.
  3. Expand Advanced Settings.
  4. Change the Access Token Lifespan to the appropriate lifetime value.
  5. Click Save at the bottom of the page.

Client Settings

Client Token Lifetime Options