Skip to content

Commit

Permalink
Added documentation for configuring session timeout (geosolutions-it#…
Browse files Browse the repository at this point in the history
…9824)

* Added documentation for configuring session timeout

* Apply suggestions from code review

* Additional fixes to doc

---------

Co-authored-by: Lorenzo Natali <[email protected]>
  • Loading branch information
dsuren1 and offtherailz authored Dec 19, 2023
1 parent c9cc31b commit 61dd0a4
Showing 1 changed file with 35 additions and 0 deletions.
35 changes: 35 additions & 0 deletions docs/developer-guide/integrations/auth.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,41 @@ In this section you can see the implementation details about the login / logout

<img src="../img/standard-mapstore-login.png" class="ms-docimage" style="max-width: 400px"/>

### Configure session timeout

By default MapStore session token lives 24 hours and the refresh token last forever. On application reboot anyway all the tokens are cancelled. In order to change these default. the administrator can change these defaults by adding to `mapstore-ovr.properties` file the following properties:

```properties
# Session timeout
restSessionService.sessionTimeout=60 #in seconds
restSessionService.autorefresh=false
```

Where:

- `restSessionService.sessionTimeout` refers to session token expiration time (by default it’s 24 hours)
- `restSessionService.autorefresh` refers to flag configured to handle automatic refresh process in the backend, enabling/disabling the refresh token usage:
- when set to `false`, it avoids the use of refresh token after the session token has expired, meaning, after the timeout the user will have to reconnect
- when set to `true`, the refresh token is used and the session extends every time the session timeout is met

!!! note
`sessionTimeout` and `autorefresh` in `mapstore.properties` are valid for the default session storage. If you are using openID or keycloak, they will not be used.

Additionally, on the client side, in order to configure the interval in which is session `refresh` action is fired, one can use the `tokenRefreshInterval` property. It can be configured via `localConfig.json -> tokenRefreshInterval`, the value is in milliseconds.

```json
tokenRefreshInterval: 60000 // default 30 seconds
```

When the above configured `Session timeout` is in place, the client can exhibit two behaviors based on the `tokenRefreshInterval` configured on the client side,
Disabling the refresh token (setting `restSessionService.autorefresh` to `false`) the administrator can use `sessionTimeout` and `tokenRefreshInterval` to limit the session duration this way:

- when `tokenRefreshInterval` is **less than** `sessionTimeout` configured (e.g `tokenRefreshInterval` is 30 seconds and `sessionTimeout` is 24 hours)
- when application is in use, the client performs a refresh token call before the expiring time and session is prolonged
- when the application is closed (i.e for any reason) and reopened after `sessionTimeout` configured, the client cannot perform refresh token call within the timeout window and hence the session expires and the user is asked to reconnect
- when `tokenRefreshInterval` is **greater than** `sessionTimeout` configured
- the session expires anyway before the refresh and the client is unable to perform the refresh activity within the configured time interval. The user will have to re-authenticate. In this case the two configuration should be nearly the same value, 30 seconds of difference, for example. This helps the client to perform the refresh activity immediately after the session expires to log out the user.

## OpenID MapStore Login

<img src="../img/openid-mapstore-login.png" class="ms-docimage" style="max-width: 400px"/>

0 comments on commit 61dd0a4

Please sign in to comment.