My application is checking the access token timeout and refreshing it if expired. The thing is, the tokens are being invalidated after the SSO session timeout. So if I have the access token timeout set to 4 hours, and the SSO timeout
set to 15 minutes, the access token and refresh tokens are both invalidated after only 15 minutes.
Date: Thu, 21 Aug 2014 17:34:16 -0400
From: Bill Burke <bburke@redhat.com>
Subject: Re: [keycloak-user] SSO Session Idle Timeout for Direct
Grants
To: keycloak-user@lists.jboss.org
Message-ID: <53F665D8.9000303@redhat.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
I don't agree...
Your application should be checking for token timeouts and performing a
refresh. The response from direct-grant gives you a refresh token as
well as an access token as well as a timeout (which you could check from
the access token).
Since you have a refresh token, you can refresh the access token. You
still want the same setup: Short access token lifespan
(seconds/minutes) with a longer refresh timeout minutes/hours. This is
for revocation checks, permission changes, etc.
I could set up a different SSO timeout/access token timeout for grant
requests if you want, but that would have to be after 1.0.final.