Changing External Auth Token Settings in Keycloak

Describes how to change access and refresh token settings through the Keycloak Admin Console.

For access and refresh tokens obtained through the user credential or refresh methods, the site administrator can set token lifetimes to any value appropriate for the external client applications at the site. The site administrator can also change the ua-grant OIDC client to a confidential client configuration.

A site administrator can sign in to the Keycloak Admin Console to make the following changes:

Change the Externally Granted Access Token Lifetime
Change the 7-Day Refresh Token Lifetime
Change the 30-Day Idle Timer for Offline Refresh Tokens
Make the ua-grant OIDC Client a Confidential Client

NOTE

You can look at the value of the exp claim in the token itself to determine the access token and refresh token expiration. The exp claim is the UNIX-epoch representation of the token's expiration date and time. If a client needs to make token-handling decisions based on times, using the exp value is best.

When changing the token lifetime, consider both security and usability. For example, long-lived tokens are reusable, which can be convenient but can also cause security issues if the token is accessed by an unauthorized user or application. Any person or entity holding a user's access token can act as that user to access the application endpoints until the token expires.

NOTICE

HPE recommends a one hour lifetime; however, the site administrator must make the token lifetime determination for their environment and adjust for the security tradeoffs.

To sign in and make changes, the site administrator must have the Keycloak admin password. Accessing the Keycloak Admin Console provides the steps to get the Keycloak admin password.

Accessing the Keycloak Admin Console

To access the Keycloak Admin Console, complete the following steps:

To get the Keycloak admin password, use kubectl and the administrative (full access) kubeconf, as shown:
```
kubectl -n ezaddon-system get secret hpecp-bootstrap-authcreds -o jsonpath='{.data.SUPER_ADMIN_PASSWORD}' | base64 -d
```
In a web browser, go to https://$KC_ADDR/admin/master/console/ and use the admin password to log in as the admin user.
TIP
KC_ADDR is the Keycloak service address:
```
keycloak.<cluster-DNS-domain-name>.com
```

Changing the Lifetime of the Externally Granted Access Token

To change the lifetime of the externally granted access token for an HPE Ezmeral Unified Analytics Software site, complete the following steps:

Sign in to the Keycloak Admin Console, as described in Accessing the Keycloak Admin Console.
In the upper left pulldown, switch to the UA realm.
In the left navigation bar, select Clients.
Select the ua-grant client.
Select the Advanced tab.
On the right, click Advanced Settings.
Change the Access Token Lifespan value.
Click Save at the bottom of the Advanced Settings box.

Changing the 7-Day Refresh Token Lifetime

To change the lifetime of the 7-day refresh token, complete the following steps:

Sign in to the Keycloak Admin Console, as described in Accessing the Keycloak Admin Console.
In the upper left pulldown, switch to the UA realm.
In the left navigation bar, select Realm Settings.
Select the Sessions tab.
Change the values of SSO Session Idle and/or SSO Session Max.
NOTE
Changing these values affects the behavior of the refresh tokens and the Keycloak session cookies. The session cookies set the upper limit for how long a user can stay logged in through the web browser.
Click Save at the bottom of the page.

Changing the 30-Day Idle Timer for Offline Refresh Tokens

To change the 30-day idle timer for offline refresh tokens, complete the following steps:

Sign in to the Keycloak Admin Console, as described in Accessing the Keycloak Admin Console.
In the upper left pulldown, switch to the UA realm.
In the left navigation bar, select Realm Settings.
Change the value of Offline Session Idle.
Click Save at the bottom of the page.

Making the ua-grant OIDC Client a Confidential Client

A confidential client configuration ensures that a refresh token is used with a secret for additional security. For example, if a refresh token is leaked, the refresh token is useless unless the token is accompanied by the secret.

For added security, the external client program should use different storage methods for the secret and refresh token.

The same secret value should be provided to all client programs that use the ua-grant OIDC client in an HPE Ezmeral Unified Analytics Software cluster.

To make the ua-grant OIDC client a confidential client, complete the following steps:

Sign in to the Keycloak Admin Console, as described in Accessing the Keycloak Admin Console.
In the upper left pulldown, switch to the UA realm.
In the left navigation bar, select Clients.
Select the ua-grant client.
Scroll down to Client authentication and toggle on.
Click Save at the bottom of the page.
Select the Credentials tab that appears.
In the Client secret box, click on the eye icon to reveal the client secret value, and/or click the copy icon to copy the value to the clipboard.
Use this client_secret value in POST requests to this OIDC client.

HPE Ezmeral Unified Analytics Software 1.5 Documentation
Abstract	HPE Ezmeral Unified Analytics Software is a usage-based Software-as-a-Service (SaaS) model that operationalizes hybrid and multi-cloud modern analytical workloads through a simple user interface, easily installed and deployed in minutes. HPE Ezmeral Unified Analytics Software separates compute and storage for flexible, cost-efficient scalability to securely access data stored in multiple data platforms, enabling you to run traditional and advanced analytics workloads with open-source tools.
Published	November 2024
Edition	1.5.0