Grafana Generic OIDC "login_maximum_inactive_lifetime_duration" not enforced

Grafana Authentication
1

What Grafana version and what operating system are you using?
Grafana Enterprise v11.x (deployed via Kube Prometheus Operator on AKS - Azure Kubernetes Service)

What are you trying to achieve?
Enforce logout of idle users based on inactivity (not just token expiry) when using Keycloak OIDC as the identity provider.

How are you trying to achieve it?
By configuring Keycloak timeouts (SSO Session Idle, Client Session Idle, etc.) and setting use_refresh_token = true in Grafana’s [auth.generic_oauth] config. Token rotation is configured with token_rotation_interval_minutes.

What happened?
Users remain logged in indefinitely as long as Grafana silently refreshes tokens. Idle users are not logged out, because token refresh keeps the session active from Keycloak’s perspective. Even if the user is inactive in the UI, the session persists until max time or manual logout.

What did you expect to happen?
Expected Grafana or Keycloak to enforce logout after a period of actual user inactivity in the UI.

Can you copy/paste the configuration(s) that you are having problems with?


    auth:
      disable_login_form: false
      oauth_auto_login: false
      login_cookie_name: grafana_session
      login_maximum_inactive_lifetime_duration: 5m
      login_maximum_lifetime_duration: 8h
      token_rotation_interval_minutes: 5

[auth.generic_oauth]
name = OAuth
enabled = true
allow_sign_out = true
use_refresh_token = true
token_rotation_interval_minutes = 5
client_id = ...
client_secret = ...
scopes = openid email profile
auth_url = ...
token_url = ...
api_url = ...

Keycloak (OIDC client settings):

  • SSO Session Idle: 15 minutes
  • Client Session Idle: 5 minutes (does not apply to user from doc)
  • Client Session Max: 8 hrs

Did you receive any errors in the Grafana UI or in related logs?
No errors. Sessions remain valid.

Did you follow any online instructions? If so, what is the URL?

Grafana silently refreshes the token using the refresh token, which Keycloak counts as “activity.” Therefore, idle sessions are not logged out. We are looking for a way to have idle users logged out — not just based on token lifetime — while still supporting single sign-on with Keycloak.

Is there a supported method for true idle timeout enforcement in this setup?

context_srv.ts

  • There is no code in context_srv.ts that detects if the user is idle
  • Token rotation happens based on time, not user activity
  • The rotation will occur even if the user hasn’t interacted with the UI

Thank You

1 Like
2

I think problem is the definition of “inactive user” in your case and in the Grafana case.

If user has UI loaded in the browser, then user is active from the Grafana perspective. That UI communicates with the backend (e. g. checking dashboard changes via live feature), so there must be a session maintenance in the background.

See doc:

This means that a user can close a Grafana window and return before now + login_maximum_inactive_lifetime_duration to continue their session.

Grana window (browser) must be closed - that’s inactive user.

1 Like
3

Thank You Jan.

Appreciate your help.