diff --git a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc index c8850771a1..4f8d17d46d 100644 --- a/modules/authentication/proc-enabling-authentication-with-rhsso.adoc +++ b/modules/authentication/proc-enabling-authentication-with-rhsso.adoc @@ -23,6 +23,11 @@ Save the value for the next step: * **Client ID** * **Client Secret** +.. Configure your {rhsso} realm for performance and security: +... Navigate to the **Configure** > **Realm Settings**. +... Set the **Access Token Lifespan** to a value greater than five minutes (preferably 10 or 15 minutes) to prevent performance issues from frequent refresh token requests for every API call. +... Enable the **Revoke Refresh Token** option to improve security by enabling the refresh token rotation strategy. + .. To prepare for the verification steps, in the same realm, get the credential information for an existing user or link:https://docs.redhat.com/en/documentation/red_hat_single_sign-on/7.6/html-single/getting_started_guide/index#create-user_[create a user]. Save the user credential information for the verification steps. . To add your {rhsso} credentials to your {product-short} secrets, edit your {product-short} secrets, such as `secrets-rhdh`, and add the following key/value pairs: @@ -163,6 +168,18 @@ auth: ---- -- +`auth.backstageTokenExpiration`:: +-- +To modify the {product-short} token expiration from its default value of one hour, note that this refers to the validity of short-term cryptographic tokens, not the session duration. The expiration value must be set between 10 minutes and 24 hours. + +.`app-config-rhdh.yaml` fragment with optional `auth.backstageTokenExpiration` field +[source,yaml,subs="+quotes"] +---- +auth: + backstageTokenExpiration: { minutes: __ } +---- +-- + -- .Verification