Hi Team,
Could you explain how Keycloak generates and manages access tokens and refresh tokens during the login and logout process?
Specifically, I’d like to understand how these tokens are created, where and how they are stored internally in Keycloak’s database, and how they are invalidated or removed during user logout. Also, what are the best practices for securely storing and handling these tokens on both the server and client side?
Thanks,
Pooja