- Revoke Refresh Token ON
- Refresh Token Max Reuse is 0
Now that the Application is opened in a new tab, the previous tab may try to update the Access Token once the token is about to expire. Our Keycloak Server is also configured to generate a new Refresh Token on every Access Token update. This will trigger a new Refresh Token on every 5 minutes or so. Once the new Refresh Token is given to the tab1, tab2 will no longer be able to renew the Access Token because of the aforementioned Revoke Refresh Token Strategy .
If we store the Refresh Token in a localStorage/sessionStorage/Cookie, we can go around this problem but there are security implications too. Kindly advice the recommended approach in this case. Also, is there any settings in the server so that, the same refresh token will be granted when the same user/keycloak-client combination tries to refresh the Access Token?