Extend expiry of refresh_token on every usage

Is it possible to configure keycloak to extend refresh token expiration time every time when refresh token is used to refresh user session? For example:

  1. I have a vaild refresh token.
  2. I use this token to refresh my session (grant_type = refresh_token)
  3. I get a new access token and a new refresh token. New refresh token has expiration set to (now +30 days).

Right now when keycloak issues a new refresh token it has the same expiration time as the old refresh_token.

Relevant context: Understanding access token lifespan - #5 by andsouto

It sounds like you may be looking for a use case for “offline access” in Keycloak. I would recommend checking out the Keycloak documentation on the topic for more information:

Server Administration - Offline access

Please note that offline tokens are similar to refresh tokens, but they can be used to obtain a new access token even when the user is not actively using the application. Keep in mind that offline tokens are essentially a password, so it is important to treat them with the same level of security and care as you would with any other sensitive information.

Thanks @weltonrodrigo . I have heard about offline tokens. It would be good but as I have read in documentation:

The difference between a refresh token and an offline token is that an offline token never expires

What I want to achieve is to:

  • Allow users which are actively using the application refresh their sessions.
  • Users which are not using the application actively should be logged out after specified expiration time.

This is not possible using offline tokens.

offline tokens do expire, it’s just that you can set another timeout for them, independent from normal session tokens.

If what you want to achieve are very long web sessions, take a look the configuration for those knobs: Server Administration - Session and token timeouts