I am using wso2 apim 4.0.0. I would like to customize (set 1 minute) session timeout for management consoles(publisher, devportal, admin). The way I am following is the official [documentation] (https://apim.docs.wso2.com/en/4.0.0/install-and-setup/setup/security/securing-api-m-web-portals/#configuring-session-time-out) which states to add following lines to deployment.toml configuration file
[tomcat.management_console]
session_timeout = "30m"
[tomcat.global]
session_timeout = "30m"
I tried to modify those configs to 1m:
[tomcat.management_console]
session_timeout = "1m"
[tomcat.global]
session_timeout = "1m"
After restarting, only carbon seems to be affected from changes given above. It invalidates session automatically after a minute. But session timeout for Publisher, Devportal, Admin portals remain unchanged. I expected the configuration would work on Publisher, Devportal, Admin as well so they invalidate the session after one minute.
I think this is no longer applicable for the publisher,admin and deportals as APIM use OIDC SSO session management methodology for these portals. Portals use IDP side sessions only and by default, it expires at 15mins[1]. From the APIM UI side, we don't use browser sessions and we only check the access token validity period(default 1 hour), if the token has expired we log the user out and might use the refresh token if persisted and then use that token to get a new access token. During that period if the IDP session has expired only the user is redirected to the login page, otherwise the user login happens and the user is redirected to the portal automatically.
Therefore instead of using the above config, you can
[1] - https://is.docs.wso2.com/en/latest/guides/login/session-timeout/