Best practice for native mobile apps (session expiration? offline tokens?)

Hi. I have a fairly typical project that has a website and a bunch of native mobile/desktop apps.

Is there any definitive information about how to best configure keycloak for such a case? The issues I have are:

  • The lifetime of refresh tokens seems to be linked to the lifetime of the login session (e.g. https://github.com/openid/AppAuth-Android/issues/531). I want the mobile app refresh token to pretty much never expire (except maybe when idle for weeks), which is how mobile apps normally behave. It seems I have to configure a very long session time then(?), which would however be bad for the website (I want a fairly short session expiration for the regular web/form login, which is accessed with regular browsers). In general, the concept of a “SSO session” seems kinda foreign for mobile apps.

  • I looked into the possibility of using an offline token instead, but this use case (regular mobile apps) doesn’t seem to be what it’s meant for, based on the docs. Am I wrong here and a session with offline_access scope is the “correct” way to achieve never-expiring mobile app login? Or is there a better way to do it?

Hello Peter, I’m facing a similar situation and was wondering how you solved it.

Any help/guidance is much appreciated, thanks!