Keycloak Session and Token Timeout: Client login timeout

Question

We are currently verifying our Keycloak Session and Token timeout settings to rule out error potential. I think default configuration should do it for our use case.

I think the only worrying value is "Client login timeout" which we've set to 1 minute (like in the screenshot of the documentation). Documentation here states: Client login is the maximum time that a client has to finish the Authorization Code Flow in OIDC.

I read it but I don't understand it... I guess the documentation copy pasted this from redhat documentation here (or vice versa) but also there is no detailed explanation there.

So my question really is: What is "client login timeout" and what would be a good default for it? A perfect answer for me would just describe the workflow from a user perspective when it fails (like user drank a coffee for 1 minute before clicking the e-mail verification link etc.) and/or a link to further reading

Answer 1

In simple terms it is the time spent by the client to get an Access Token.

It is the maximum time the client has to finish the Authorization Code Flow. The steps involved in the Authorization Code Flow can be found in OIDC specs.

https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps

1. Client prepares an Authentication Request containing the desired request parameters.
2. Client sends the request to the Authorization Server.
3. Authorization Server Authenticates the End-User.
4. Authorization Server obtains End-User Consent/Authorization.
5. Authorization Server sends the End-User back to the Client with an Authorization Code.
6. Client requests a response using the Authorization Code at the Token Endpoint.
7. Client receives a response that contains an ID Token and Access Token in the response body.
8. Client validates the ID token and retrieves the End-User's Subject Identifier.