Can the OIDC refresh token request optionally return a new refresh token?

Hi,

We are looking for some advice on using Keycloak and OIDC to meet the following use case:

Allow a Client (SPA in our case) to make a ‘background’ request to a Resource Server (RS), using the users access token, which we do not class as a user action and should not reset the SSO Session Idle timer, allowing a user to be logged out from the Client when they have not been active for the idle time.

Current implementation considerations:

  • We use the SSO Session Idle (refresh token expiry) to log the user out when they are not active for the SSO Session Idle time (on next request to RS).
  • We need to protect the background request endpoints and we need to know which user is logged in when the making these background requests are made to return the correct data to the client. (does this rule out the use of the client_credentials grant type?)

Ideally we would like to maintain:

  • The use of SSO Session Idle to implement user logout on idle
  • A short lived access token (we could make the Access Token Lifespan == SSO Session Idle)

The possible approach we have talked about is when making a ‘background’ request use the users access token and when it has expired refresh the access token, using the users refresh token, but not the refresh token as per the OAuth spec here: https://tools.ietf.org/html/rfc6749#section-1.5 (request H suggests getting a new refresh token is optional)

The issue with this approach is that we cannot seem to prevent the request to the token endpoint from returning a new refresh token. Is this possible in Keycloak’s implementation of this endpoint?

We thought about ignoring the new refresh token but section 6 of the spec says: “The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token.” (https://tools.ietf.org/html/rfc6749#section-6)

We are open to suggestions and please let us know if we are breaking some best practices or using something totally wrong.  If anyone else experienced such an issue or implemented something similar and has any advice it would be much appreciated.

Thanks,
David