Originally posted by **canidae** January 27, 2023
**Question:**
Can OIDC cookies expire time be set to refresh token expire time, rather than id token expire time? I believe the answer is "no", so the question really is: Can it be implemented?
**Details:**
We're using Keycloak as IdP, where we've set id/access token lifetime to the default 5 minutes, but "SSO Session Idle" and "SSO Session Max" (which cause refresh tokens to have the lowest value of these two as expire time) is set much higher (several days in our case).
The problem we've encountered is that Quarkus sets the expire time of the cookies containing the tokens to id/access token expire time plus `quarkus.oidc.authentication.session-age-extension` (default 5 minutes). Essentially this means that even if the refresh token is valid for days, a logged in user that is idle for more than 10 minutes (5 minutes access token lifetime plus 5 minutes session-age-extension) will have to reauthenticate, even though the refresh token still is valid.
We've solved this by setting a large value for `session-age-extension`, but it seems like this could've been better solved by setting cookie expire time to match refresh token expire time.
quarkus-bot[bot]
commented
1 year ago
Discussed in https://github.com/quarkusio/quarkus/discussions/30655