Merge branch 'main' into RHIDP-5409-consistent-titles-subtitles

themr0c · web-flow · commit 3c71486b8f71 · 2025-01-31T15:02:08.000+01:00
diff --git a/modules/about/ref-supported-platforms.adoc b/modules/about/ref-supported-platforms.adoc
@@ -8,7 +8,3 @@
 
 You can find the supported platforms and life cycle dates for both current and past versions of {product} on the link:https://access.redhat.com/support/policy/updates/developerhub[Life Cycle page].
 
-[role="_additional-resources"]
-.Additional resources
-
-* link:https://redhat-developer.github.io/red-hat-developers-documentation-rhdh/pr-837/rel-notes-rhdh/#compatibility-matrix[{product} {product-version} Compatibility Matrix].
diff --git a/modules/authentication/proc-enabling-authentication-with-rhbk.adoc b/modules/authentication/proc-enabling-authentication-with-rhbk.adoc
@@ -23,11 +23,6 @@ Save the value for the next step:
 * **Client ID**
 * **Client Secret**
 
-.. Configure your {rhbk} realm for performance and security:
-... Navigate to the **Configure** > **Realm Settings**.
-... Set the **Access Token Lifespan** to a value greater than five minutes (preferably 10 or 15 minutes) to prevent performance issues from frequent refresh token requests for every API call.
-... Enable the **Revoke Refresh Token** option to improve security by enabling the refresh token rotation strategy.
-
 .. To prepare for the verification steps, in the same realm, get the credential information for an existing user or link:https://docs.redhat.com/en/documentation/red_hat_build_of_keycloak/24.0/html-single/getting_started_guide/index#getting-started-zip-create-a-user[create a user]. Save the user credential information for the verification steps.
 
 . To add your {rhsso} credentials to your {product-short}, add the following key/value pairs to link:{plugins-configure-book-url}#provisioning-your-custom-configuration[your {product-short} secrets]:
@@ -182,6 +177,13 @@ auth:
 
 --
 
+.Security consideration
+If multiple valid refresh tokens are issued due to frequent refresh token requests, older tokens will remain valid until they expire. To enhance security and prevent potential misuse of older tokens, enable a refresh token rotation strategy in your {rhbk} realm.
+
+. From the *Configure* section of the navigation menu, click *Realm Settings*.
+. From the *Realm Settings* page, click the *Tokens* tab.
+. From the *Refresh tokens* section of the *Tokens* tab, toggle the *Revoke Refresh Token* to the *Enabled* position.
+
 .Verification
 . Go to the {product-short} login page.
 . Your {product-short} sign-in page displays *Sign in using OIDC* and the Guest user sign-in is disabled.
