I am studying Keycloak and related protocols OpenID & OAuth2. Everything is clear except one thing, how to maintain the sliding session for a logged in user. Maybe I misunderstand something. 1. Authorization Flow first of all redirects a user to the keycloak login page, after successful login the user is redirected to the redirect url with the authorization code. 2. Using this authorization code, a server side application connects to the keycloak server and exchanges the code for the Access token (also including client id, secret, etc) and ID token. 3. Access token is used by the server side application itself in order to retrieve details from the keycloak server, like user additional info, public key, etc. So the Access token is used by applications only. 4. The server side applications set a cookie with the received ID token. Now user can access protected resources. All in all we have 1. Access token stored on the server side and used only by applications or services to retrieve additional info from Keycloak. 2. Refresh token stored on the server side and used only by application or services to get new Access token 3. ID token stored in the user's cookies and used to access protected resources of the system. My question is, how can the ID token be refreshed. Consider the following case, a user is logged in and doing some actions in the system, but suddenly toke got expired. How this case should be handled? I have implemented my own flow called the Sliding session, so the token gets refreshed if any request is made, however I don't know how to handle this case with Keycloak. I would be grateful for any help regarding the matter.