Currently we are trying to switch our system to use Keycloak and we’ve faced with one problem.
In our previous implementation we had a kind of “Hard\Soft Login” feature:
- Soft Login(token valid for 30 days)
Soft logged user can browse a site, but when he tries to access more restricted pages (like account dashboard etc), he should re-enter login\password(login again)
- Hard Login(token valid for 30 minutes, should be revoked after 30 minutes of inactivity)
Hard logged user can browse all pages on a site.
So in simple words, user got 2 tokens with different expiration time on first login. First token - simple access_token with all scopes available and second token - our custom token with a short lifespan. On restricted pages 2 tokens should be valid. On non-restricted pages, just 1 token required.
The main question is - does Keycloak has OOTB solution to achieve this? Or there is another similar solution we can use for our case?
We were digging the documentation for a week, but still can’t find a clean solution.
Any help you could provide would be much appreciated!