<div dir="ltr"><div><div><div>Hello,<br><br></div>Our web application has a standard keycloak integration. Our mobile app is currently using keycloak direct access grants. I've got a few questions about expected behavior when a user has overlapping usage of both web and mobile which I'm hoping somewhere here can kindly answer.<br><br></div>1. A user logs in to the mobile app and gets a JWT and a refresh token. The user then logs in to the web app (via KC) and then logs out of the web app (via KC). Should the mobile refresh token then be able to successfully refresh the mobile JWT access token against KC, or does the web logout 'invalidate' the mobile refresh token?<br><br></div><div>2. Similar scenario but the web user changes their password instead of logging out:<br>A user logs in to the mobile app and gets a JWT and a refresh token.
The user then logs in to the web app and then changes their password (through KC).
Should the mobile refresh token (created with the old password) then be able to successfully refresh the mobile
JWT access token, or does the web logout 'invalidate' the mobile
refresh token?<br><br><br></div><div>Would the behavior in either of those cases be different if our mobile app used a webview redirecting to the KC server instead of using direct access grants?<br><br></div><div>Thanks very much!<br></div><div>Seann Ives<br><br></div></div>