[keycloak-user] Refresh Token Question

Konstantinos Schoinas ece8537 at upnet.gr
Wed May 22 03:57:12 EDT 2019


Hi there,

i have a setup where i use a node js application and  Keycloak-connect 
NPM module in order to align it with keycloak single-sign on flow.

Everything is working fine except of one thing.

When my refresh token is expired and i am trying to access a resource in 
application  that is protected by keycloak.protect() i am getting a 
redirect to keycloak page (a flow that i find it correct ) and my user 
is automatically getting re-logged in without posting any credentials.

i don;t know if that behavior is right.

My Keycloak Realm-⁠⁠Settings on Token tab  are:

Revoke Refresh Token -⁠⁠-⁠⁠> Off

SSO Session idle -⁠⁠-⁠⁠> 2 minutes

SSO Session Max -⁠⁠-⁠⁠> 4 minutes

Access Token Lifespan -⁠⁠-⁠⁠> 1 minute

I also noticed this type of behavior on the nodejs-example that keycloak 
connect provides so i believe that there isn't something wrong with my 
application.

Also i put some logs inside keycloak-middleware to make sure that the 
refresh Token is expired by going to the relative function and made sure 
that the refresh is expired.

In addition this is happening of course when the 2 minutes are past and 
i am trying to do a request to the Refresh token is definetly getting 
expired there but still Keycloak seems to getting me logged in again and 
NOT redirecting me to the Login page.

Thanks in Advance for the help,

Konstantinos


More information about the keycloak-user mailing list