from various document, it seems storing refresh token is not recommended
for browser based web application that cannot safely keep the refresh token.
So, i am wonder whether i can configure keycloak to achieve the following
(authorization code grant):
1. response with the access token only (token endpoint)
2. when the access token expired, rely on the SSO cookie, to invoke
method/endpoint in keycloak to obtain a new access token via ajax.
can you please share your way to cater for refresh token? And comment on my
idea?
thanks