[keycloak-user] Best practices for combining web and mobile usage in one realm

Iván Perdomo ivan at akvo.org
Wed Nov 16 04:52:35 EST 2016

Found the location of the "Offline Access" section:


On 11/16/2016 09:55 AM, Iván Perdomo wrote:
> Hi,
> I think you should look at offline tokens, introduced in  Keycloak 1.6.1 [1]
> [1] http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html
> On 11/15/2016 06:06 PM, Aritz Maeztu wrote:
>> Hi all,
>> I'm using keycloak 2.2.1 to secure my application. The application can 
>> be accessed both via web and mobile (Android app). Both of them use the 
>> authorization code flow, which I believe it's the ideal form of 
>> authentication for my case.
>> The topic I want to clarify here is token lifespans. As far as I 
>> understand, the SSO session idle timeout determines how long can a token 
>> last without being refreshed. On the other hand, SSO session max 
>> determines how long can a token last, even if it's being refreshed once 
>> and again. Well, now couple of questions:
>> 1. Is there a way to make the web session limited to, let's say, 30 
>> minutes and to have a long lived refresh token for the app?
>> 2. How to deal with the refresh token in the app? What I do right now is 
>> to launch a webview when application starts and store the access and 
>> refresh tokens in user preferences (which is secured in Android). I wrap 
>> each http request made from the app and add the access token, unless it 
>> has expired, then I request a new access token with the refresh token. 
>> But when should I check the validity for the refresh token itself? I 
>> don't want a chain of requests being interrupted because of the refresh 
>> token being expired!
>> Thanks in advanced for your help!


More information about the keycloak-user mailing list