[keycloak-user] Keycloak use-case with Android and custom API

[César Augusto Ribeiro]

Hello,

I have an APP (Android + NativeScript) and a custom NodeJS API that serves
it.My idea is to let my API handle any authentication/authorization stuff
through Keycloak - with keycloak-nodejs-connect.
So we could have the following flow:
- APP sends user and pass to this custom API;- API calls Keycloak to
authenticate the user with data provided (/token, scope='offline_access' -
to a public Keycloak client);- Keycloak returns a token to the API;- API
returns the access token to the app, which holds it to be used in
subsequent calls (Authorization Bearer ... header).
In my tests through HTTP clients, simulating the flow I would have in the
real case, I get HTTP Status 403 - Forbidden after token expiration.
I have the impression that the refreshing of the token should be
automatically done, but that doesn't seems to be happening.
Small pieces of code:


    app.use(session({        secret: '...',        resave: false,
saveUninitialized: true,        store: memoryStore,    }));
        var keycloak = new Keycloak({        store: memoryStore,
scope: 'offline_access'    }, 'keycloak.json');
app.use(keycloak.middleware());
        app.post('/login', function (req, res) {
keycloak.grantManager.obtainDirectly('USER', 'PASS').then(grant => {
     keycloak.storeGrant(grant, req, res);             ...         }, error
=> {             ...         });    });
        app.get('/someProtectedEndpoint', keycloak.protect(), function
(req, res, next) {    ...    });

Do you see anything wrong in this use-case? Maybe I also need to store the
refresh token in the client and use it to somehow force token refresh?
Maybe it's not a good auth flow at all?

For who wants some SO points: https://stackoverflow.com/q/44656168/643416

Thanks in advance!