Revoke Refresh Token Strategy blocks Access Token renewal

Hi there,

We use the javascript-adapter for our Frontend Application(uses the public keycloak client ) which is Angular2 based. We bootstrap the Application only when the user is Authenticated and then we make API calls to the Backend application/Resource Server with the Bearer Token recieved from Keycloak where a Bear Only Client is configured. Some pages of the Application need to be opened in a new browser tab to meet some business requirements. We have the following settings in our Keycloak Server (v7.2.4.GA)

  • Revoke Refresh Token ON
  • Refresh Token Max Reuse is 0

Now that the Application is opened in a new tab, the previous tab may try to update the Access Token once the token is about to expire. Our Keycloak Server is also configured to generate a new Refresh Token on every Access Token update. This will trigger a new Refresh Token on every 5 minutes or so. Once the new Refresh Token is given to the tab1, tab2 will no longer be able to renew the Access Token because of the aforementioned Revoke Refresh Token Strategy .

If we store the Refresh Token in a localStorage/sessionStorage/Cookie, we can go around this problem but there are security implications too. Kindly advice the recommended approach in this case. Also, is there any settings in the server so that, the same refresh token will be granted when the same user/keycloak-client combination tries to refresh the Access Token?

Thanks

1 Like

any solution for this issue ? because iā€™m also facing it in my app