Hi. I have a fairly typical project that has a website and a bunch of native mobile/desktop apps.
Is there any definitive information about how to best configure keycloak for such a case? The issues I have are:
-
The lifetime of refresh tokens seems to be linked to the lifetime of the login session (e.g. https://github.com/openid/AppAuth-Android/issues/531). I want the mobile app refresh token to pretty much never expire (except maybe when idle for weeks), which is how mobile apps normally behave. It seems I have to configure a very long session time then(?), which would however be bad for the website (I want a fairly short session expiration for the regular web/form login, which is accessed with regular browsers). In general, the concept of a “SSO session” seems kinda foreign for mobile apps.
-
I looked into the possibility of using an offline token instead, but this use case (regular mobile apps) doesn’t seem to be what it’s meant for, based on the docs. Am I wrong here and a session with offline_access scope is the “correct” way to achieve never-expiring mobile app login? Or is there a better way to do it?