[keycloak-user] Where to store the refresh token? Can we avoid refresh token and rely on SSO cookie for access token renewal?

Paul Luk ah.ping.luk at gmail.com
Fri Oct 18 04:50:53 EDT 2019


from various document, it seems storing refresh token is not recommended
for browser based web application that cannot safely keep the refresh token.

So, i am wonder whether i can configure keycloak to achieve the following
(authorization code grant):
1. response with the access token only (token endpoint)
2. when the access token expired, rely on the SSO cookie, to invoke
method/endpoint in keycloak to obtain a new access token via ajax.

can you please share your way to cater for refresh token? And comment on my
idea?

thanks


More information about the keycloak-user mailing list