Does KeyCloak support Refresh Token Rotation?

rscott · November 30, 2020, 7:05pm

Specified in draft-ietf-oauth-security-topics-13 section 4.12, refresh token rotation is becoming a vital part of using OIDC with SPAs. Auth0 supports it–does KeyCloak?

ntuveri · December 1, 2020, 1:38pm

It should be possible to enable refresh token rotation through the option “Revoke Refresh Token” (please see https://www.keycloak.org/docs/latest/server_admin/#_timeouts).

Topic		Replies	Views
Can the OIDC refresh token request optionally return a new refresh token? Getting advice oidc	0	364	November 15, 2019
Can the OIDC refresh token request optionally return a new refresh token? Getting advice oidc	0	753	November 15, 2019
Disable Refresh Token for Service Accounts Securing applications oidc	6	5028	May 13, 2022
Revoke refresh token settings not working Configuring the server oidc	0	2708	August 19, 2021
Refresh_token and offline_access scope	6	151	March 27, 2024

Does KeyCloak support Refresh Token Rotation?

Related Topics