Onboarding Token Validity
Client access tokens and refresh tokens expiration can be adjusted by configuration of the Client Identity Management Service in Storemanager.
Note:
The lifespan of the tokens in CIMS MUST NOT be greater than the maximum lifespan of the tokens in the realm's token settings in Keycloak (default is 12 days).
The validity of the client's refresh token is determined by Keycloak based on the value of the property Offline Session Idle (the default is 30 days) in the settings of the Clients realm in Keycloak.
CIMS Configuration
| Category | File | Parameter | Value/Example value | Hint |
|---|---|---|---|---|
| Expert view | clients.properties | clients.realmNameTemplate | clients | Name of the realm in Keycloak where clients will be created |
| clients.client-type.<client-type>.auth.central.accessTokenLifespan | 3600s | Lifespan of the central access token. Seconds [s], hours [h], and days [d] can be used. | ||
| clients.client-type.<client-type>.auth.edge.accessTokenLifespan | 72h | Lifespan of the edge access token. Seconds [s], hours [h], and days [d] can be used. | ||
| clients.client-type.<client-type>.unused-clients.timeout | <days>d | Timeout for unused clients. Seconds [s], hours [h], and days [d] can be used. * |
Note:
* The value of the parameter clients.client-type.<client-type>.unused-clients.timeout is currently set to 30d by default, but should reflect the usage of the client. If (for example) some POS clients are only used once a year, the value must be set to 365d, otherwise re-onboarding is needed. Keep in mind that, in this case, the Offline Session Idle property in Keycloak also needs to be adapted to match the biggest value of clients.client-type.<client-type>.unused-clients.timeout in clients.properties.