feat: expose timeouts

README.md

@@ -22,8 +22,8 @@ This repo builds the UDS Identity (Keycloak) Config image used by UDS Identity.
 
 ## Customizing UDS Identity Config
 
-If the default realm, plugin, theme, truststore, or jars do not provide enough functionality ( or provide too much functionality ), take a look at the [CUSTOMIZE.md](./docs/CUSTOMIZE.md) docs for making changes to the identity config.
+If the default realm, plugin, theme, truststore, or jars do not provide enough functionality ( or provide too much functionality ), take a look at the [CUSTOMIZE.md](./docs/reference/UDS%20Core/IdAM/CUSTOMIZE.md) docs for making changes to the identity config.
 
 
 ## Upgrading Identity Config
-When upgrading the Identity Config version, check the [Version Upgrade](./docs/VERSION_UPGRADE.md) docs for help.
+When upgrading the Identity Config version, check the [Version Upgrade](./docs/reference/UDS%20Core/IdAM/upgrading-versions.md) docs for help.

docs/reference/UDS Core/IdAM/customization.md

@@ -115,9 +115,17 @@ overrides:
                TERMS_AND_CONDITIONS_ENABLED: true
                PASSWORD_POLICY: <fill in value here>
                X509_OCSP_FAIL_OPEN: true
+               ACCESS_TOKEN_LIFESPAN: 600
+               SSO_SESSION_LIFESPAN_TIMEOUT: 1200
+               SSO_SESSION_MAX_LIFESPAN: 36000
 ```
 
-> These environment variables can be found in the [realm.json](https://github.com/defenseunicorns/uds-identity-config/blob/main/src/realm.json) `identityProviders` section.
+> These environment variables can be found in the [realm.json](https://github.com/defenseunicorns/uds-identity-config/blob/main/src/realm.json).
+
+#### Customize Session and Access Token Timeouts
+The `SSO_SESSION_IDLE_TIMEOUT` specifies how long a session remains active without user activity, while the `ACCESS_TOKEN_LIFESPAN` defines the validity duration of an access token before it requires refreshing. The `SSO_SESSION_MAX_LIFESPAN` determines the maximum duration a session can remain active, regardless of user activity.
+
+To ensure smooth session management, configure the idle timeout to be longer than the access token lifespan (e.g., 10 minutes idle, 5 minutes lifespan) so tokens can be refreshed before the session expires, and ensure the max lifespan is set appropriately (e.g., 8 hours) to enforce session limits. Misalignment, such as setting a longer token lifespan than the idle timeout or not aligning the max lifespan with session requirements, can result in sessions ending unexpectedly or persisting longer than intended.
 
 ### Customize Truststore
 

src/realm.json

@@ -7,10 +7,10 @@
     "defaultSignatureAlgorithm": "RS256",
     "revokeRefreshToken": false,
     "refreshTokenMaxReuse": 0,
-    "accessTokenLifespan": 300,
+    "accessTokenLifespan": "${REALM_ACCESS_TOKEN_LIFESPAN:60}",
     "accessTokenLifespanForImplicitFlow": 900,
-    "ssoSessionIdleTimeout": 600,
-    "ssoSessionMaxLifespan": 36000,
+    "ssoSessionIdleTimeout": "${REALM_SSO_SESSION_IDLE_TIMEOUT:600}",
+    "ssoSessionMaxLifespan": "${REALM_SSO_SESSION_MAX_LIFESPAN:36000}",
     "ssoSessionIdleTimeoutRememberMe": 0,
     "ssoSessionMaxLifespanRememberMe": 0,
     "offlineSessionIdleTimeout": 2592000,

src/test/cypress/realm.json

@@ -7,10 +7,10 @@
     "defaultSignatureAlgorithm": "RS256",
     "revokeRefreshToken": false,
     "refreshTokenMaxReuse": 0,
-    "accessTokenLifespan": 300,
+    "accessTokenLifespan": "${REALM_ACCESS_TOKEN_LIFESPAN:60}",
     "accessTokenLifespanForImplicitFlow": 900,
-    "ssoSessionIdleTimeout": 600,
-    "ssoSessionMaxLifespan": 36000,
+    "ssoSessionIdleTimeout": "${REALM_SSO_SESSION_IDLE_TIMEOUT:600}",
+    "ssoSessionMaxLifespan": "${REALM_SSO_SESSION_MAX_LIFESPAN:36000}",
     "ssoSessionIdleTimeoutRememberMe": 0,
     "ssoSessionMaxLifespanRememberMe": 0,
     "offlineSessionIdleTimeout": 2592000,