[keycloak-dev] Refresh token expires too

Corinne Krych corinnekrych at gmail.com
Wed Oct 15 11:20:25 EDT 2014


Hello Keycloak

Today I run into an issue [1] related to the fact that in Keycloak server, refresh tokens are:
- renewed after each refresh token request. as described in second paragraph here http://tools.ietf.org/html/rfc6749#section-10.4, 
- expirable, which is more a surprise to me. (nothing like that in oauth2 spec)

So for iOS sdk we’ll need to adjust our logic in here [2] and cater to the fact that if refresh token is expired we’ll need to go through grant ptopup again.
To get refresh token expriation date one way is ask to renew refresh and hit a 400, "Refresh token expired” or decode refresh token as done in key cloak.js [3]. 

Thanks @mposolda for the links.

@summers @passos: I guess it’s something you’ll need to consider too for Android sdk.

++
Corinne
——————
AeroGear iOS tech lead

[1] https://issues.jboss.org/browse/AGIOS-294
[2] https://github.com/aerogear/aerogear-ios-oauth2/blob/master/AeroGearOAuth2/OAuth2Module.swift#L145
[3] https://github.com/keycloak/keycloak/blob/master/integration/js/src/main/resources/keycloak.js#L216, https://github.com/keycloak/keycloak/blob/master/integration/js/src/main/resources/keycloak.js#L462
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://lists.jboss.org/pipermail/keycloak-dev/attachments/20141015/74e2429d/attachment.bin 


More information about the keycloak-dev mailing list