How to make token expire when LOA expire time is up

Hello, I have configured ACR / LOA step up authentication as discussed in the official examples:

https://www.keycloak.org/docs/latest/server_admin/#_step-up-flow

As I understand each LOA level has an expiry associated so that the level is only valid for x seconds.

My problem is that once I get the higher LOA level, when I use my refresh token the resulting access token still has the higher LOA level.

How do I make my token expire when the LOA level expires ?

Thank you for your help

Hi,

I dont’t know if this is still relavant for you since your topic is more than a year old.
We had the same problem and unfortunately there is no out of the box solution for this (in Keycloak 23.0.4).
You could try to overwrite the TokenManager from Keycloak and a bunch of other classes to compute your own lifespan or see our diskussion here on how we worked around this problem.