Re: [keycloak-user] always-refresh-token and admin rest api

Greetings. Following up my post from yesterday I have more specific questions. I plan to use keycloak with my REST service for mobile apps as follows: Option A: 1 A user sends a REST registration request to my webapp and the webapp adapts the request to the local keycloak admin rest api. 2 When the user is created he can then authenticate to keycloak via the direct access grant rest api and receives an access token. 3 The issued access token should be valid for only one request, thus I specified the option "always-refresh-token": true in my webapp's keycloak.json file. Option B: 1 Mobile app forms the HTTP POST request to the user registration page. 2 and 3 as in Option A Option C: 1 Use a user federation provider and create users in my webapp's datasource. 2 and 3 as in Option A Question regarding all options: How is the "always-refresh-token" option supposed to work? I supplied the option as stated above but I am still able to reuse access tokens that were issued from the direct access grant service. Another question is how this token refreshing should be implemented on the client side. Do I have to invoke on the direct access grant api to obtain a new token for every request or can the issued "refresh_token" be used on subsequent requests and a new refresh token is somehow included in the response of my service?

Question regarding option C: When creating users in my own database which serves as a federation provider I loose some keycloak functionality like Email verification and so on, right? I am also not sure which option to use. What would you suggest. Feature request: It would be great to have a keycloak REST API for registration and user self-service in order to fulfill the demands of mobile applications. Best regards, Benjamin