Access token timeout for long running operations in resource server


I have the following scenario illustrated in the picture

  • Js Frontend is a Angular Frontend which manages redirection to a keycloak login page where users can enter their credentials (open id connect). It is using PKCE for that aswell
  • the relevant keycloak realm and client use the Authorization Code Grant
  • backend is a spring boot app which, serves the api and receives the token from the frontend
  • since its an architecture with multiple services, the backend delegates the retrieval of some data to another service, while handing the access token over to that service
  • in between the token times out

My questions are:

If you need more information let me know.

Greetings Sascha

Hm, interesting question. Im also interested in a way how to handle that properly.

You may look into RFC 8693 OAuth 2.0 Token Exchange standard to solve this.
With that standard, the backend can exchange the token it got from the frontend into another token with a longer lifetime (only to be used on the server-side and NEVER to be handed over to the client).
Keycloak supports this (unfortunately still as a preview feature but it works fine), see the corresponding Keycloak docs for more details.

1 Like