Skip to content

Commit 7b35cc2

Browse files
JessicaJHeehmanwani-rh
JessicaJHee
and
hmanwani-rh
authored
manual cherrypick of update RHBK config docs with security consideration (redhat-developer#881)
Signed-off-by: Jessica He <[email protected]> Co-authored-by: Heena Manwani <[email protected]>
1 parent 170acb7 commit 7b35cc2

File tree

1 file changed

+7
-5
lines changed

1 file changed

+7
-5
lines changed

modules/authentication/proc-enabling-authentication-with-rhbk.adoc

+7-5
Original file line numberDiff line numberDiff line change
@@ -23,11 +23,6 @@ Save the value for the next step:
2323
* **Client ID**
2424
* **Client Secret**
2525

26-
.. Configure your {rhbk} realm for performance and security:
27-
... Navigate to the **Configure** > **Realm Settings**.
28-
... Set the **Access Token Lifespan** to a value greater than five minutes (preferably 10 or 15 minutes) to prevent performance issues from frequent refresh token requests for every API call.
29-
... Enable the **Revoke Refresh Token** option to improve security by enabling the refresh token rotation strategy.
30-
3126
.. To prepare for the verification steps, in the same realm, get the credential information for an existing user or link:https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/24.0/html-single/getting_started_guide/index#getting-started-zip-create-a-user[create a user]. Save the user credential information for the verification steps.
3227

3328
. To add your {rhsso} credentials to your {product-short}, add the following key/value pairs to link:{plugins-configure-book-url}#provisioning-your-custom-configuration[your {product-short} secrets]:
@@ -182,6 +177,13 @@ auth:
182177

183178
--
184179

180+
.Security consideration
181+
If multiple valid refresh tokens are issued due to frequent refresh token requests, older tokens will remain valid until they expire. To enhance security and prevent potential misuse of older tokens, enable a refresh token rotation strategy in your {rhbk} realm.
182+
183+
. From the *Configure* section of the navigation menu, click *Realm Settings*.
184+
. From the *Realm Settings* page, click the *Tokens* tab.
185+
. From the *Refresh tokens* section of the *Tokens* tab, toggle the *Revoke Refresh Token* to the *Enabled* position.
186+
185187
.Verification
186188
. Go to the {product-short} login page.
187189
. Your {product-short} sign-in page displays *Sign in using OIDC* and the Guest user sign-in is disabled.

0 commit comments

Comments
 (0)