Can't extend Keycloak token expiry past a day for a specific client

For a specific client, I am attempting to extend the the access time for a jwt issued by the client to a very long time.

I've set my client's timeouts to 365 days:

However, Keycloak only issues a jwt with an expiration of 1 day later:


KEYCLOAK_URL=http://localhost:8081/auth
REALM=users
ADMIN_CLIENT_ID=api-long-lived
ADMIN_CLIENT_SECRET=api-long-lived-password

token=$(curl --no-progress-meter --insecure --request POST $KEYCLOAK_URL/realms/$REALM/protocol/openid-connect/token \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data-urlencode "client_id=$ADMIN_CLIENT_ID" \
  --data-urlencode "client_secret=$ADMIN_CLIENT_SECRET" \
  --data-urlencode 'grant_type=client_credentials' \
  | jq -r .access_token)

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJCZXFqMlF3WjQ1ZC13Z2dTLVdYVzlzVUNTQ2IwamJ4Y091RTZFSkJiOTY4In0.eyJleHAiOjE3MTEzNTc2NjAsImlhdCI6MTcxMTMyMTY2MCwianRpIjoiZmEzOTg5YmYtYzdmMi00NTE0LWJkMzUtY2UxZmI4YTc0NmE5IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgxL2F1dGgvcmVhbG1zL3VzZXJzIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjY2MmYzOWE0LTkxZWQtNGY4MS04NGZhLTcwOTZhODZjOTZlYiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFwaS1sb25nLWxpdmVkIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyIvKiJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiIsImRlZmF1bHQtcm9sZXMtdXNlcnMiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX0sImFwaS1sb25nLWxpdmVkIjp7InJvbGVzIjpbInVtYV9wcm90ZWN0aW9uIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiY2xpZW50SG9zdCI6IjE3Mi4yNy4wLjEiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1hcGktbG9uZy1saXZlZCIsImNsaWVudEFkZHJlc3MiOiIxNzIuMjcuMC4xIiwiY2xpZW50X2lkIjoiYXBpLWxvbmctbGl2ZWQifQ.IrffhURy4BULBbVaHOUDp56aQOMkERGV3OiZ2nosAtQSdepBIe67aLsOewtW7Jkjui-q0qWPontqCaPZfqndmT5QIXdfuW1P9XMtDmm_R10dEgYa2wxb833_avp6O0_gxFKKL5qBZsm2jtYTIBqP-sqbeAvcqzSyakMAL9teoKzwAKYxlghdnGXNMzlBJU2h1k_c1kcQewWWdGTCwgThYrH6oU3wBWxi5cEkxrFb24-DNGoKgzYKeW-kFKlw9NEplLZJkVHEb8sjp8269Agvh3yZO5Dt235o0RLY2XweNFnGWVMLhO5wjtOET5bbbOocV_vA80_DXkNFXt1H2xFkHA

Which is decoded, according to https://jwt.io as:

[...]
  "exp": 1711357660,
  "iat": 1711321660,

Which equates to:

issued at March 24, 2024 02:07:40 GMT-0700
expires at March 25, 2024 02:07:40 GMT-0700

Even if it's not a good idea to set expirations that long, why can't I extend the expiration for this client to be more than 1 day?

Solution

It appears that the realm-level SSO Session Max setting will override the client override, So this needs to be adjusted up and then all other clients need to override their session max down to reasonable levels.