logo

5 Steps to Configure Credential Expiry in Keycloak

Want to keep your tech safe? Setting an end date for passwords in Keycloak is key to block stolen passwords and stops bad logins. Here is a quick way to set it up:

  1. Make Password End Rules: Pick how often users need to change their passwords (like every 90 days).
  2. Change Keys Often: Swap signing keys every 3 to 6 months to keep token safe.
  3. Set OTP and Recovery Code End: Pick how long One-Time Passwords (like 30 seconds for TOTP) and recovery codes last.
  4. Check Expiry Rules: Use test accounts to make sure the end policies work well.
  5. Make Policies Auto: Set up auto checks and updates so all users stay safe.

Why this is big:

  • 61% of breaks come from stolen sign-in info.
  • Short token lives (like 5 minutes for access tokens) cut risks.
  • Often changing sign-in details keeps things both safe and easy to use.

Use these steps to guard your Keycloak set up and to cut down on weak spots. For an easier way, tools like Skycloak can handle much of this work, saving time and work.

What You Need to Know First

To get into how Keycloak deals with old credentials, we must first know the must-have access and the key ideas.

Getting In

To work on old credentials, you need to be the boss in the Keycloak Admin Console. Make sure you’re set up as an admin.

If you want more control, turn on Authorization Services in the app you are using. This change will make the app a resource server. You can then use the Authorization part to handle resources, scopes, rules, and rights. These tools help you set conditions to let people into protected places and connect those places to rules that control who gets in.

Once you’re in as an admin, you should learn about different kinds of credentials and how Keycloak keeps them safe.

Kinds of Credentials

Keycloak has many sorts of credentials. Each has its own way to keep safe and to expire:

  • Password credentials: Keycloak has rules for passwords, like the “Expire Password” rule, to make sure passwords change from time to time.
  • Client secrets: These can be made to run out and changed using client rules, so talks between clients and servers stay safe.
  • One-Time Password (OTP) credentials: Keycloak uses OTPs, with TOTP suggested over HOTP, for extra safety when signing in.

For password safety, Keycloak uses 27,500 hashing iterations as standard, showing strong encryption moves. Password rules cover how long, complex (needing digits, big letters, small letters, and weird symbols), and limits on using old passwords again.

Knowing these credential types, let’s see how Keycloak deals with old and rotating credentials to keep up security.

Basics of Credential Expiry and Rotation

Running out and changing credentials is key to keeping safe by cutting the chance for bad use. Making sure credentials or tokens run out soon means less chance of trouble if they get into the wrong hands.

“Best practices require secrets to be rotated on a regular basis.” – stianst, Maintainer

Keycloak sets its token rules with safety in mind:

  • Access tokens go off in 5 minutes by default.
  • Refresh tokens often run for 30 minutes.

These quick times cut the risk for access tokens, but still make it easy for users with refresh tokens. Also, Keycloak works with session end and kicking out old logins. For instance, when a user logs out or an admin ends a session, all linked tokens stop right away.

Swapping old details often adds more safe walls. You can tweak when tokens end in Keycloak under Realm Settings > Tokens. If you need special rules, you can set new token end times for each client under Clients > [client name] > Settings.

Using short-term access tokens cuts down danger, and longer-life refresh tokens help mix safety with ease.

How to Use Rules for User Info in Keycloak

When you know about different types of user info and when they stop being okay to use, you should next learn how to set rules for them in Keycloak’s control area. If you know where to go, it’s easy to do.

How to Move Around in the Control Area

Start by going into the Keycloak control area with an admin user from the key group. This user must be able to change rules. Once you’re in, pick the group where you want to set rules for user info. Each group has its own control area, so make sure you are in the right one for your work group.

On the left side, you’ll see the main get around list. To handle rules for user info, go to the Authentication part. This is where you will find and set the user info rules that you need to use.

How to Find User Info Rule Settings

The rules for user info are sorted by type in the Authentication menu:

  • Password Rules: Go to the Policies part, click Add rule, put in what’s needed, and keep your changes.
  • OTP (One-Time Password) Rules: First go to Authentication, then find the Policy part and choose the OTP Rule part.

Effective password management is an important aspect of securing user accounts, and Keycloak provides tools to enforce strong authentication policies. By configuring password rules, administrators can ensure that credentials meet security standards, reducing the risk of unauthorized access.” – Inero Software

These parts have ready options for admins to put in strong safety steps. You can set these rules when you start or change them later to push needs like “Change password” or “End password”. When you change settings, be sure any made resources, rights, or rules fit with the usual setups to stop clashes.

5 Steps to Set Up When a Credential Stops Working

Setting when a credential stops working in Keycloak is key to keep safe sign-ins while making sure users can still get in. Here are five steps to make sure the time-out rules guard your group.

Step 1: Set When Passwords Stop Working

When a password stops working is at the heart of keeping a credential safe in Keycloak. Start by going to the Authentication menu in your admin place and pick the Password Policy tab. Here, you can make rules that all users in your place must follow.

  • Hit Add policy and pick Expire Password from the list.
  • Choose the wanted time frame, like 90 days, a usual pick for big work places.
  • Make sure users now in the system follow the new rule by picking an Update Password move for all present accounts. If you skip this, the rule will only work for new passwords.

Since password rules work at the place level, all users will have the same time frame. When passwords are set, move to make your system more safe with key changes.

Step 2: Set Up Key Changes and When They Stop Working

Changing keys often is key to keep the safety of secret signs and coding. Keycloak uses pair keys, with one key pair for signing and some more for checking old tokens.

  • Go to Realm Settings and click the Keys tab, then pick Providers.
  • Hit Add provider and pick rsa-generated. Give a Priority number (the top number is for the key in use), pick your wanted AES Key size, and save.

Change keys every 3–6 months and take out old keys 1–2 months after a change to make sure tokens and cookies are new before the old keys go away. If you think a key may be at risk, make and start using a new key at once, then get rid of the risky one.

Apps that use offline tokens must refresh them before old keys go away. This makes sure things work smooth during the change.

Step 3: Put Time Limits on Other Credential Types

Keycloak has more credential types than just passwords and signing keys, like OTPs and recovery codes, which also need time-out rules.

  • Under the Authentication menu, find the Policy part and pick OTP Policy.
  • Set when things stop working for time and count-based OTP tokens. For example, 30 seconds is a usual time for TOTP tokens, making a good mix of safety and ease of use.
  • Make rules for when recovery codes stop working, making sure they stop after a set time or number of uses. This stops old codes from turning into safety risks.

By handling these other credential types, you lower risks across your sign-in system.

Step 4: Try and Check When Credentials Stop Working

Trying makes sure your rules for when credentials stop working go smooth. Use test accounts with short-life credentials to look like real cases.

  • Make a test password that lasts one day and see how it feels when it runs out.
  • Check key changes by making new keys and watch how tokens are checked when you have both old and new keys in use.
  • Try out times when many login types run out at once to spot possible user issues. This also helps your help team get ready to help users when they need new logins.

Good testing makes sure your system works well and safely before you start to automate.

Step 5: Make Policy Rules and Checks Automatic

When your login time limit setup is checked and works well, make rules and checks run by themselves to keep it safe as more users come in.

  • Use outside PDPs to make choices on who gets in. This way is simpler and makes things run faster in many apps.
  • Save rules on who gets in to cut down on having to check the same things many times, this really helps when you have lots of users needing to log in often.
  • Keep an eye on how well Keycloak works with its own numbers and make better the data checks tied to who gets in. Check often to fix things before they become big problems.

For more advanced automatic stuff, think about using tools like Skycloak, which help with telling users their login is out of date, updating rules, and working with big company systems. These tools make less work for your IT team while making sure rules are followed well across how you manage who gets in.

Good Ways and Fixing Problems

Setting up when keys expire in Keycloak needs good planning, working right, and fast fixes to keep both safety and ease of use.

Suggested Time to Expire

Each key needs its own time to expire to find a good mix of safety and ease. By the start, Keycloak makes access keys last for 5 minutes and refresh keys for 30 minutes. These times are good for many cases, but you can change them to match your app’s safety needs better.

Dealing with Key Expired

Dealing right with keys that have expired is key to keeping a smooth user feel and cutting breaks. In Keycloak, keys are turned off using session states. For example, if a password gets changed or odd stuff is seen, you can turn off sessions by hand via the Admin Console to log out users at once.

Refresh keys let you update access keys without making users log in again. Also, your login page should clearly say what is going on when keys expire. A clear note like “Your session has ended for safety. Please log in again” can lead users back with little mix-up.

With these basics down, fixing common problems can polish your whole way.

Usual Problems and Fixes

Password Rules: New password rules in Keycloak start only for new users unless you turn on the “Update Password” needed action or use the “Expire password” choice that makes old users update their keys. Remember, these rules work at the realm level. If you need different rules for different groups, you may need to make a custom provider.

Mixing Safety and Ease: Too hard password rules can annoy users. If you’re using a blacklist file for passwords, check it now and then to make sure it doesn’t stop good password picks.

Key Expiry: You can set times when keys expire at both the realm and client levels. If you find problems, check both settings to find the main cause.

For more mixed setups, big tools can make the job easier. For example, tools like Skycloak are made to handle many of these problems on their own. Skycloak provides ready-to-use settings for usual key expiry settings, saving time and making sure your setup fits safety needs.

Wrap Up

Use these five steps to set up how long log-in info lasts in Keycloak and make your system for entering and using IDs safer. This method has it all – from making rules for password changes to setting how long tokens work to auto-checking and keeping rules. With lost or stolen login details involved in 61% of breaks-ins, it’s key to handle these settings right to keep your group safe. These steps make things safer but also keep things running smooth for users.

It’s key to find a good mix of safety and easy use. For instance, using 5-minute pass tokens and setting good times for token refresh can make logging in flow well. Adding auto token updates to your apps helps keep users logged in and cuts down safety risks.

FAQs

Why make access and refresh tokens in Keycloak last for less time?

Make access and refresh tokens in Keycloak last less time to boost safety by cutting down the span when stolen or leaked tokens could be used. This easy change lessens the odds of people getting into your system without permission.

A good side of short token lives is that they lead to often token renewals. This helps spot and fix broken tokens fast, putting an added safe wall around the way you manage who gets in and who doesn’t.

How can I set up auto checks for when passwords run out and rule changes in Keycloak to make it safer?

To make sure that password times out and rule changes in Keycloak work well, the admin API gives a way to do these jobs with code. With the API, you can set rules for passwords and token end times right away, which makes it simple to add these changes to scripts or tools that run by themselves. This cuts out the need to change things by hand and keeps your safety rules fresh.

Keycloak also works well with LDAP and Active Directory, letting it sync user details and apply end-time rules on its own. This setup cuts down on the need for you to check things yourself while keeping to safety rules. By making these parts work on their own, you can handle your system more easily and keep your setup safe.

Leave a Comment

Β© 2025 All Rights Reserved. Made by Yasser