对于特定的客户端,我试图将客户端发出的jwt的访问时间延长到很长一段时间。
但是,Keycloak 只发出 1 天后过期的 jwt:
KEYCLOAK_URL=http://localhost:8081/auth
REALM=users
ADMIN_CLIENT_ID=api-long-lived
ADMIN_CLIENT_SECRET=api-long-lived-password
token=$(curl --no-progress-meter --insecure --request POST $KEYCLOAK_URL/realms/$REALM/protocol/openid-connect/token \
--header 'content-type: application/x-www-form-urlencoded' \
--data-urlencode "client_id=$ADMIN_CLIENT_ID" \
--data-urlencode "client_secret=$ADMIN_CLIENT_SECRET" \
--data-urlencode 'grant_type=client_credentials' \
| jq -r .access_token)
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJCZXFqMlF3WjQ1ZC13Z2dTLVdYVzlzVUNTQ2IwamJ4Y091RTZFSkJiOTY4In0.eyJleHAiOjE3MTEzNTc2NjAsImlhdCI6MTcxMTMyMTY2MCwianRpIjoiZmEzOTg5YmYtYzdmMi00NTE0LWJkMzUtY2UxZmI4YTc0NmE5IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgxL2F1dGgvcmVhbG1zL3VzZXJzIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjY2MmYzOWE0LTkxZWQtNGY4MS04NGZhLTcwOTZhODZjOTZlYiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFwaS1sb25nLWxpdmVkIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyIvKiJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiIsImRlZmF1bHQtcm9sZXMtdXNlcnMiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX0sImFwaS1sb25nLWxpdmVkIjp7InJvbGVzIjpbInVtYV9wcm90ZWN0aW9uIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiY2xpZW50SG9zdCI6IjE3Mi4yNy4wLjEiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1hcGktbG9uZy1saXZlZCIsImNsaWVudEFkZHJlc3MiOiIxNzIuMjcuMC4xIiwiY2xpZW50X2lkIjoiYXBpLWxvbmctbGl2ZWQifQ.IrffhURy4BULBbVaHOUDp56aQOMkERGV3OiZ2nosAtQSdepBIe67aLsOewtW7Jkjui-q0qWPontqCaPZfqndmT5QIXdfuW1P9XMtDmm_R10dEgYa2wxb833_avp6O0_gxFKKL5qBZsm2jtYTIBqP-sqbeAvcqzSyakMAL9teoKzwAKYxlghdnGXNMzlBJU2h1k_c1kcQewWWdGTCwgThYrH6oU3wBWxi5cEkxrFb24-DNGoKgzYKeW-kFKlw9NEplLZJkVHEb8sjp8269Agvh3yZO5Dt235o0RLY2XweNFnGWVMLhO5wjtOET5bbbOocV_vA80_DXkNFXt1H2xFkHA
根据https://jwt.io解码为:
[...]
"exp": 1711357660,
"iat": 1711321660,
这相当于:
March 24, 2024 02:07:40 GMT-0700
March 25, 2024 02:07:40 GMT-0700
即使设置那么长的过期时间不是一个好主意,为什么我不能将该客户端的过期时间延长到 1 天以上?