[keycloak-user] Best practices for combining web and mobile usage in one realm

Aritz Maeztu amaeztu at tesicnor.com
Tue Nov 15 12:06:06 EST 2016

Hi all,

I'm using keycloak 2.2.1 to secure my application. The application can 
be accessed both via web and mobile (Android app). Both of them use the 
authorization code flow, which I believe it's the ideal form of 
authentication for my case.

The topic I want to clarify here is token lifespans. As far as I 
understand, the SSO session idle timeout determines how long can a token 
last without being refreshed. On the other hand, SSO session max 
determines how long can a token last, even if it's being refreshed once 
and again. Well, now couple of questions:

1. Is there a way to make the web session limited to, let's say, 30 
minutes and to have a long lived refresh token for the app?

2. How to deal with the refresh token in the app? What I do right now is 
to launch a webview when application starts and store the access and 
refresh tokens in user preferences (which is secured in Android). I wrap 
each http request made from the app and add the access token, unless it 
has expired, then I request a new access token with the refresh token. 
But when should I check the validity for the refresh token itself? I 
don't want a chain of requests being interrupted because of the refresh 
token being expired!

Thanks in advanced for your help!

Aritz Maeztu Otaño
Departamento Desarrollo de Software 

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
medioambiente es cosa de todos.

More information about the keycloak-user mailing list