Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,12 @@ private record CachedStore(FactoryPlusUserStore store) {}
static final String CONFIG_KRB_PRINCIPAL = "auth.principal";
static final String CONFIG_KRB_KEYTAB_PATH = "auth.keytab.path";
static final String CONFIG_DEFAULT_REALM = "default.realm";
static final String DEFAULT_TIMEOUT_SECONDS = "5";
/* Must stay below Keycloak's 3-second ServicesUtils.timeBoundOne
* hard limit on user-storage lookups. With a longer value our own
* timeout can never fire: Keycloak interrupts the thread first and
* the admin sees an opaque InterruptedException instead of a clean
* timeout naming the F+ auth service. */
static final String DEFAULT_TIMEOUT_SECONDS = "2";
static final String DEFAULT_CACHE_TTL_SECONDS = "60";

private static final List<ProviderConfigProperty> CONFIG_PROPERTIES =
Expand All @@ -73,7 +78,10 @@ private record CachedStore(FactoryPlusUserStore store) {}
.property()
.name(CONFIG_TIMEOUT_SECONDS)
.label("Request timeout (seconds)")
.helpText("Per-request timeout for F+ auth calls.")
.helpText("Per-request timeout for F+ auth calls. Keep "
+ "this below 3 seconds: Keycloak hard-kills user "
+ "storage lookups at 3s, so a longer value here "
+ "never takes effect.")
.type(ProviderConfigProperty.STRING_TYPE)
.defaultValue(DEFAULT_TIMEOUT_SECONDS)
.add()
Expand Down
6 changes: 5 additions & 1 deletion acs-service-setup/lib/openid.js
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,11 @@ class OpenIDSetup {
parentId: realmUuid,
config: {
"auth.url": [this.auth_internal_url],
"auth.timeout.seconds": ["5"],
// Must stay below Keycloak's 3s hard limit on user
// storage lookups; a longer value never takes effect
// and slow F+ auth calls surface as an opaque
// InterruptedException instead of a clean timeout.
"auth.timeout.seconds": ["2"],
"cache.ttl.seconds": ["60"],
// Disable Keycloak's per-user attribute cache for this
// federation. With the default (DEFAULT, cache forever)
Expand Down
Loading