redhat-developer · Gerry-Forde · Nov 13, 2024 · Nov 6, 2024 · Nov 6, 2024 · Nov 7, 2024
diff --git a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc
@@ -23,6 +23,11 @@ Save the value for the next step:
 * **Client ID**
 * **Client Secret**
 
+.. Configure your {rhsso} realm for performance and security:
+... Navigate to the **Configure > Realm Settings**.
+... Set the **Access Token Lifespan** to a value greater than 5 min (ideally 10 or 15 minutes) to avoid performance issue caused by unnecessary refresh token requests sent for every API call.
+... Enable the **Revoke Refresh Token** option to improve security by enabling the refresh token rotation strategy.
+
 .. To prepare for the verification steps, in the same realm, get the credential information for an existing user or link:https://docs.redhat.com/en/documentation/red_hat_single_sign-on/7.6/html-single/getting_started_guide/index#create-user_[create a user]. Save the user credential information for the verification steps.
 
 . To add your {rhsso} credentials to your {product-short} secrets, edit your {product-short} secrets, such as `secrets-rhdh`, and add the following key/value pairs:
@@ -163,6 +168,20 @@ auth:
 ----
 --
 
+`auth.backstageTokenExpiration`::
+--
+To change {product-short} token expiration from the default value of one hour.
+Note that this is not the session duration, but rather the duration that the short-term cryptographic tokens are valid for.
+You cannot set the expiration value lower than 10 minutes or above 24 hours.
+
+.`app-config-rhdh.yaml` fragment with optional `auth.backstageTokenExpiration` field
+[source,yaml,subs="+quotes"]
+----
+auth:
+  backstageTokenExpiration: { minutes: _<user_defined_value>_ }
+----
+--
+
 --
 
 .Verification