Change the Keycloak Token Lifetime

This document outlines how to change the Keycloak default token lifetime or the token lifetime for a specific client.

Note: The default value for these settings is 365 days.

Procedure

  1. Log in to Keycloak with the default admin credentials.

    1. Retrieve the admin user’s password for Keycloak.

      kubectl get secrets -n services keycloak-master-admin-auth -ojsonpath='{.data.password}' | base64 -d

    2. Log in to the Keycloak UI using the admin user and the password obtained in the previous step.

      The Keycloak UI URL is typically similar to the following: https://auth.cmn.<system_name>/keycloak

  2. Change Global Token Lifetime Values

    1. Select Realm Settings under Configure on the left of the admin page.
    2. Select the Tokens tab.
    3. Change the following options to the appropriate lifetime values:
      • Access Token Lifespan
      • Access Token Lifespan for Implicit Flow
    4. Click Save at the bottom of the page.
    5. Select the Sessions tab.
    6. Change the following options to the appropriate lifetime values:
      • SSO Session Idle
      • SSO Session Max
    7. Click Save at the bottom of the page.

    Global Token Lifetime Options Global Session Lifetime Options

  3. Change A Specific Client’s Token Lifetime

    1. Select Clients under Manage on the left of the admin page.
    2. Select the client that you wish to change the token lifetime for.
    3. Select the Advanced tab.
    4. Go to the Advanced Settings section.
    5. Change the Access Token Lifespan to the appropriate lifetime value.
    6. Click Save at the bottom of the page.

    Client Settings

    Client Token Lifetime Options