Offline token and active session max


I want to make an app logged with an offline token.

const config = {
    clientId: "CLIENT", promiseType: "native"
    realm: "dev", scope: "offline_access",
    url: "https://XXX/auth",
    refreshToken: this.getOfflineToken()
this.keycloak.init(config).then((authenticated) => {
    if (!authenticated) {
}).catch((a) => {

this.keycloak.onAuthSuccess = () => {
  1. At first login, config.refreshToken is not set, so authenticated = false
  2. I do login()
  3. Go back in my app, and authenticated = true !
  4. At each refresh tokens, offline token is set in localstorage
  5. At second login, config.refreshToken is an offline refresh token, so authenticated = true !

And, when the active session is finished, I’m disconnected

I test with a short SSO Session Max (2 mins) and I need to re-log with login/password after this 2 mins.
In the admin tab, the offline session is still active.

It looks like this issue
And in documentation "an offline token will never expire by default and is not subject of the SSO Session Idle timeout and SSO Session Max lifespan"

We can’t have unlimited active session ?
It’s a bug ? Or I misunderstood something?

Thank you for your help.

I try with curl :


refresh_token=`curl -k \
-d "client_id=$KC_CLIENT" \
-d "username=$USERNAME" \
-d "password=$PASSWORD" \
-d "grant_type=password" \
-d "scope=openid info offline_access" \
https://localhost:8080/auth/realms/$KC_REALM/protocol/openid-connect/token | jq -r '.refresh_token'` 

echo $refresh_token

while (true)
echo '\n\n\n'
curl -k \
 -d "client_id=$KC_CLIENT" \
 -d "grant_type=refresh_token" https://localhost:8080/auth/realms/$KC_REALM/protocol/openid-connect/token \
 -d "refresh_token=$refresh_token" | jq
echo `date`
sleep 10s

And I don’t have this problem, the active session is not deleted.

Jira issue

And it’s officially a bug.

1 Like