Lifetime of OAuth/SAML Token?

daubsi · March 18, 2026, 4:10pm

I have activated SSO in my xwiki with Keycloak as IDP. Everything works like a charm, including the mapping of users to XWiki Groups (Admin, readonly, etc.)

However, although I’ve set very long token lifetimes on purpose in Keycloak, I need to reauthenticate after quite some short times in XWiki again (at least 2 a day).

Any idea why this is or how I can change it?
I would like to make use of the refresh token to basically SSO once every couple of weeks only.

This should be possible with SAML as well, right? How can I configure this on the Xwiki side?

My SSO settings are:
```
oidc.endpoint.authorization=https://keycloak.home.xxx.de/realms/xxx.de/protocol/openid-connect/auth
oidc.endpoint.token=https://keycloak.home.xxx.de/realms/xxx.de/protocol/openid-connect/token
oidc.endpoint.userinfo=https://keycloak.home.xxx.de/realms/xxx.de/protocol/openid-connect/userinfo
oidc.scope=openid,profile,email,address,offline_access
oidc.endpoint.userinfo.method=GET
oidc.user.nameFormater=${oidc.user.preferredUsername._clean._lowerCase}
oidc.user.subjectFormater=${oidc.user.subject}
oidc.groups.claim=xwiki_groups
oidc.groups.mapping=XWikiAdminGroup=xwiki-admin-group
oidc.groups.mapping=XWikiAllGroup=xwiki-all-group
oidc.groups.mapping=XWikiBigiglooGroup=xwiki-bigigloo-group
oidc.groups.mapping=XWikiTestroup=xwiki-test-group

oidc.groups.allowed=

oidc.groups.forbidden=

oidc.userinfoclaims=xwiki_user_accessibility,xwiki_user_company,xwiki_user_displayHiddenDocuments,xwiki_user_editor,xwiki_user_usertype,xwiki_groups

oidc.userinforefreshrate=600000

oidc.clientid=xwiki-oauth-client
oidc.secret=xxxxx
oidc.endpoint.token.auth_method=client_secret_basic
oidc.skipped=false

```

In Keycloask my session lifetime is set to:

```

SSO Session IDLE: 7d

SSO Session Max: 30d

Client session idle: 7d

Client session max: 30d

Offline sesson idle: 30d

Client offline session max: 30d (This is what I want to make use of)

Access token lifespan: 15min

Access token lifespan for implicit flow: 15min

```

tmortagne · March 18, 2026, 4:20pm

This is a current limitation of the OIDC authenticator related to the fact that it store OIDC information only in the session, so it does not really know who you are anymore when you come back long enough for the session to be lost.

The issue is OIDC-16.

daubsi · March 18, 2026, 4:40pm

Actually clicking on Login had me perform the full authentication workflow again on the Keycloak side. (Redirect to IdP, perform auth, redirect back to RP) That’s not what you mean, is it?

tmortagne · March 18, 2026, 4:42pm

This would suggest that your provided also forgot who you are. If the provider keep you logged in then you barely notice that you went through an authentication usually when accessing something you are not allowed to access as a guest user.

In OIDC, it’s provider’s job to verify your identity. Whether or not you authenticated in the past, the client is supposed to always ask the provided if it’s still OK when you come back. It then keep you logged in as long as the session survive, but even then it’s pretty common for the provider to be configured to force log you out of all applications you are currently using when you logout from the provider (meaning send a request to all clients to invalide the sessions of the user).