----- Original Message -----
Quite likely it's the session that is no longer valid, not just the token.
If the access token is not valid (this is 5min by default) it will be
refreshed by the proxy (valid as long as the user session is valid).
Once the user session is no longer valid the user is required to
re-authenticate to Keycloak which causes the redirect to Google. This
happens by default after the session has been idle 30 min (no token
refreshes) or after 10 hours. You can change the timeouts through the admin
console.
I've tried setting both "SSO Session Idle" and "SSO Session Max"
to 1 Day, but see this issue where the proxy redirects to keycloak which redirects to
google after about 1 hour. Is there another setting I need to change?