Issue with Use with Microsoft Azure AD wiki page

[TiloGit]

Hi @Captain-P-Goldfish

The page "Use with Microsoft Azure AD": https://github.com/Captain-P-Goldfish/scim-for-keycloak/wiki/Use-with-Microsoft-Azure-AD PS script seems off

"https://$server/auth/realms/$realm/protocol/openid-connect/token"

But should be without auth "https://$server/realms/$realm/protocol/openid-connect/token"

Also would be nice to have an updated screenshot :-)

also here a cURL bash script to get a access_token

curl \
  -d "client_id=scim-from-azure-ad" \
  -d "client_secret=Q5-----removed---------------Huh" \
  -d "grant_type=client_credentials" \
  "https://kc-server.example.com/realms/master/protocol/openid-connect/token" | jq .

fyi: expires_in : 36000 even tho I have set to 399 days.

[Captain-P-Goldfish]

Yeah the description is old. Unfortunately I cannot provide an updated Screenshot since I have no access to a Microsoft Azure AD system myself.

The short expiration time of your token is due to the maximum lifetime settings in your realm.

[TiloGit]

The Azure screenshot are still good. The KC screenshot and the powershell script need update.

Regarding expiration time: seems that the client setting: Access Token Lifespan can't be larger then the realm setting: SSO Session Max see also here https://keycloak.discourse.group/t/understanding-access-token-lifespan/11855/5

Two thigs to keep always in mind:

A refresh token can never last longer than the keycloak session.
An access token can never last longer than a refresh token.

Therefore, you must make sure that:

The “SSO Session Idle” and the “SSO Session Max” have an equal or greater value than “Client Session Idle” and “Client Session Max”.
“Client Session Idle” and “Client Session Max” have an equal or greater value than “Access Token Lifespan”.