[keycloak-user] Refresh token - should it expire?
stian at redhat.com
Tue Jun 23 11:14:27 EDT 2015
----- Original Message -----
> From: "Juraci Paixão Kröhling" <juraci at kroehling.de>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-user at lists.jboss.org
> Sent: Tuesday, 23 June, 2015 5:12:14 PM
> Subject: Re: [keycloak-user] Refresh token - should it expire?
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> On 06/23/2015 04:50 PM, Stian Thorgersen wrote:
> > In the mean time you can set a high level for the sso expiration.
> That would work for now, but note that if an user logs out or if the
> session expires for some reason, the token is automatically deemed as
> expired as well (invalid_grant, actually). So, it's not about the
> token expiration itself, but about the session expiration:
Indeed that's the intent. All non-offline tokens are linked to the current users session.
> > When do you need to have a proper offline token?
> Tough question :-) I'd say that we'd absolutely need this by
> September/October, but of course, the sooner the better as it touches
> an important part of the system.
We'll try to get it in for 1.5 - which should be end of August.
> - - Juca.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> -----END PGP SIGNATURE-----
More information about the keycloak-user