RHIDP-4684 Update Keycloak configuration instructions (#681)

themr0c · hmanwani-rh · web-flow · commit 89285cd9d448 · 2024-11-13T17:35:52.000Z
* RHIDP-4684 Update Keycloak configuration instructions to improve performance and security

Signed-off-by: Fabrice Flore-Thébault &lt;ffloreth@redhat.com&gt;

* RHIDP-4684 Update Keycloak configuration instructions to improve performance and security

Signed-off-by: Fabrice Flore-Thébault &lt;ffloreth@redhat.com&gt;

* Update modules/authentication/proc-enabling-authentication-with-rhsso.adoc

Co-authored-by: Heena Manwani &lt;59050394+hmanwani-rh@users.noreply.github.com&gt;

* Update modules/authentication/proc-enabling-authentication-with-rhsso.adoc

Co-authored-by: Heena Manwani &lt;59050394+hmanwani-rh@users.noreply.github.com&gt;

* Apply suggestions from code review

Co-authored-by: Heena Manwani &lt;59050394+hmanwani-rh@users.noreply.github.com&gt;

---------

Signed-off-by: Fabrice Flore-Thébault &lt;ffloreth@redhat.com&gt;
Co-authored-by: Heena Manwani &lt;59050394+hmanwani-rh@users.noreply.github.com&gt;
diff --git a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc
@@ -23,6 +23,11 @@ Save the value for the next step:
 * **Client ID**
 * **Client Secret**
 
+.. Configure your {rhsso} realm for performance and security:
+... Navigate to the **Configure** > **Realm Settings**.
+... Set the **Access Token Lifespan** to a value greater than five minutes (preferably 10 or 15 minutes) to prevent performance issues from frequent refresh token requests for every API call.
+... Enable the **Revoke Refresh Token** option to improve security by enabling the refresh token rotation strategy.
+
 .. To prepare for the verification steps, in the same realm, get the credential information for an existing user or link:https://docs.redhat.com/en/documentation/red_hat_single_sign-on/7.6/html-single/getting_started_guide/index#create-user_[create a user]. Save the user credential information for the verification steps.
 
 . To add your {rhsso} credentials to your {product-short} secrets, edit your {product-short} secrets, such as `secrets-rhdh`, and add the following key/value pairs:
@@ -163,6 +168,18 @@ auth:
 ----
 --
 
+`auth.backstageTokenExpiration`::
+--
+To modify the {product-short} token expiration from its default value of one hour, note that this refers to the validity of short-term cryptographic tokens, not the session duration. The expiration value must be set between 10 minutes and 24 hours.
+
+.`app-config-rhdh.yaml` fragment with optional `auth.backstageTokenExpiration` field
+[source,yaml,subs="+quotes"]
+----
+auth:
+  backstageTokenExpiration: { minutes: _<user_defined_value>_ }
+----
+--
+
 --
 
 .Verification
