feat: increase keycloak session timeouts (#382)

This PR increases the SSO session max lifespan from 7 days to 30 days
and session idle time from 48h to 72h, reducing forced re-authentication
frequency for active users.

Author: skipi

helm-chart/templates/configmaps/authentication.yaml

@@ -15,3 +15,7 @@ data:
   OIDC_MANAGE_CLIENT_ID: semaphore-user-management
   SESSION_COOKIE_NAME: _semaphoreci_2_0_sxmoon_session
   ENABLE_TEMPORARY_PASSWORDS: "true"
+  SESSION_IDLE_TIMEOUT: "72h"
+  SESSION_MAX_TIMESPAN: "30d"
+  ACCESS_TOKEN_LIFESPAN: "1h"
+  OFFLINE_SESSION_IDLE_TIMEOUT: "30d"

keycloak/setup/helm/templates/setup-job.yaml

@@ -28,6 +28,14 @@ spec:
             valueFrom: { configMapKeyRef: { name: {{ .Values.global.authentication.configMapName }}, key: KC_LOCAL_URL } }
           - name: TF_VAR_semaphore_realm
             valueFrom: { configMapKeyRef: { name: {{ .Values.global.authentication.configMapName }}, key: KC_REALM } }
+          - name: TF_VAR_semaphore_realm_session_idle_timeout
+            valueFrom: { configMapKeyRef: { name: {{ .Values.global.authentication.configMapName }}, key: SESSION_IDLE_TIMEOUT } }
+          - name: TF_VAR_semaphore_realm_session_max_lifespan
+            valueFrom: { configMapKeyRef: { name: {{ .Values.global.authentication.configMapName }}, key: SESSION_MAX_TIMESPAN } }
+          - name: TF_VAR_semaphore_realm_access_token_lifespan
+            valueFrom: { configMapKeyRef: { name: {{ .Values.global.authentication.configMapName }}, key: ACCESS_TOKEN_LIFESPAN } }
+          - name: TF_VAR_realm_offline_session_idle_timeout
+            valueFrom: { configMapKeyRef: { name: {{ .Values.global.authentication.configMapName }}, key: OFFLINE_SESSION_IDLE_TIMEOUT } }
           - name: TF_VAR_semaphore_user_management_client_id
             valueFrom: { configMapKeyRef: { name: {{ .Values.global.authentication.configMapName }}, key: OIDC_MANAGE_CLIENT_ID } }
           - name: TF_VAR_semaphore_user_management_client_name

keycloak/setup/main.tf

@@ -32,11 +32,11 @@ resource "keycloak_realm" "semaphore_realm" {
 
   login_theme = var.semaphore_realm_login_theme
 
-  access_token_lifespan        = "60m"
-  offline_session_idle_timeout = "60m"
+  access_token_lifespan        = var.semaphore_realm_access_token_lifespan
+  offline_session_idle_timeout = var.semaphore_realm_offline_session_idle_timeout
 
-  sso_session_idle_timeout = "48h"
-  sso_session_max_lifespan = "168h"
+  sso_session_idle_timeout = var.semaphore_realm_session_idle_timeout
+  sso_session_max_lifespan = var.semaphore_realm_session_max_lifespan
 
   registration_email_as_username = true
   verify_email                   = false

keycloak/setup/variables.tf

@@ -19,6 +19,30 @@ variable "semaphore_realm" {
   type        = string
 }
 
+variable "semaphore_realm_session_idle_timeout" {
+  description = "Semaphore realm session idle timeout"
+  type        = string
+  default     = "72h"
+}
+
+variable "semaphore_realm_session_max_lifespan" {
+  description = "Semaphore realm session max lifespan"
+  type        = string
+  default     = "30d"
+}
+
+variable "semaphore_realm_access_token_lifespan" {
+  description = "Semaphore realm access token lifespan"
+  type        = string
+  default     = "1h"
+}
+
+variable "semaphore_realm_offline_session_idle_timeout" {
+  description = "Semaphore realm offline session idle timeout"
+  type        = string
+  default     = "30d"
+}
+
 variable "semaphore_realm_update_password_action" {
   description = "If enabled, newly created accounts will be required to update their password on first login"
   type        = bool
@@ -137,4 +161,4 @@ variable "gitlab_provider_client_secret" {
 variable "gitlab_provider_authorization_url" {
   description = "Gitlab provider authorization url"
   type        = string
-}
+}