[keycloak-user] Where to store the refresh token? Can we avoid refresh token and rely on SSO cookie for access token renewal?