[keycloak-user] Bearer token expiration question

First of all, Keycloak looks great - the alpha release is a very nice start! I have a question about bearer token expiration. Take the included product portal example. It is configured to use Keycloak for SSO, which allows the user to access the product listing page. That listing page uses the current SkeletonKeySession's token as the Bearer token when invoking the database/products REST endpoint. This makes sense to me, but one interesting thing happens - that token eventually times out. Once that happens all calls to the REST endpoint fail. Note that this occurs even if the user refreshes that product listing page. The timeout is from login, not from the last activity (like an http session timeout would be). So in this scenario, how is the product page supposed to get a new token when the old one expires? This becomes even more relevant if the UI is not a JSP but is instead a JavaScript app (e.g. angular, GWT, etc). I was thinking that I would need to pass the token to the client layer, which would then allow me to make authenticated REST calls directly from the Client/JavaScript layer to a REST API. That would be a great separation, but obviously the user should not get logged out after N minutes despite actively using the app during that time. I'm probably missing something obvious... :) -Eric