Generating a long-lived Session Token (using an Access Token?)

nosan · February 7, 2022, 2:20pm

I use the following code to retrieve (generate) an access token:

    const kcTokenEndpoint = `https://${kcHost}/auth/realms/${realm}/protocol/openid-connect/token`;
  
    const response = await axios({
      method: 'POST',
      url: kcTokenEndpoint,
      data: qs.stringify({
        client_id: keycloakClientId,
        client_secret: keycloakClientSecret,
        grant_type: 'client_credentials',
      }),
      headers: {
        'Content-type': 'application/x-www-form-urlencoded',
      },
      withCredentials: true,
    });

The JWT in response.data.access_token is valid for 5 minutes. Should I be using it to fetch a longer-lived (10 hour) session token? Should I just be fetching a session token from the start?

I can’t really find any documentation on how token generation and/or token exchange should be used in a Client Credentials flow, e.g. an application that accesses a remote API which expects a signed JWT.

Basically the M2M flow that Auth0 offers.

Thank you for any info.

Topic		Replies	Views
Tokens expiring too soon Configuring the server authentication , oidc	4	5007	October 30, 2021
Understanding access token lifespan Getting advice authentication	4	18304	June 13, 2022
Keycloak server issuing already expired tokens Securing applications oidc	6	5193	November 8, 2023
Understanding Access token expiration when using client_credentials grant type Getting advice	1	1911	August 19, 2022
Confused about Offline Token behavior Getting advice	3	645	February 27, 2024

Generating a long-lived Session Token (using an Access Token?)

Related Topics