Refresh token expiration time not

Configuring the server
1

Hello,
I configured several tenants on the same Keycloak deployment, and I cannot figure out what is misconfigured with one of them.

I am using the Direct Access workflow.
When I ask for a token generation I correctly obtain a new access token, alongside the refresh token. In this case every token has its own expire time at the maximum allowed.

{
    "access_token": "...",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "...",
    "token_type": "Bearer",
    "scope": "openid profile email"
     ...
}

Then, when I perform a token refresh I correclty obtain new tokens. But what I see is that the refresh token expiration time (field refresh_expires_in) is not resetted but continue to decrease in time, request after request.
My expectation is the new refresh token has the maximum time availability.

In the following refresh response refresh_expires_in is 1582, but my expectation is 1800 (30 minutes, as specified in my configuration).

{
    "access_token": "...",
    "expires_in": 300,
    "refresh_expires_in": 1582,
    "refresh_token": "...",
    "token_type": "Bearer",
    "scope": "openid profile email"
     ...
}

Thank you for your support,
Nicola

2

I found: the problem was that Client Session Idle muus be lesser than SSO Session Max.

BR,
Nicola

3

That’s right. The problem is that Keycloak does not validate or alert us when Client Session Idle is set higher than SSO Session Max, making it difficult to know in advance that this setting will not apply.