[keycloak-user] Storing and using refresh tokens
Marius Bozem
marius.bozem.external at zalando.de
Mon Sep 30 08:19:26 EDT 2019
Hey everyone,
I am working on using refresh tokens to get new access token when the old
one expires.
For that I would like to know the best practices regarding:
- What is a secure and easy way of implementing the use of refresh tokens?
In more detail, these are the questions I have:
- How and where to store refresh tokens? We plan on storing them in our
back end service. A user would then have a session with our service that
would be used to get the refresh token for them.
- Where and how will the use of the refresh token be triggered? At some
point the access token will expire, should the front end then make a
request to the back end to get a new token?
- In this front end & back end setup how do you deal with the user having
multiple tabs of the application open or using multiple browsers?
Thanks in advance,
Marius
More information about the keycloak-user
mailing list