Silent token refresh through gatekeeper


im trying to set up my web app to silently refresh the tokens when they expire.
The webapp runs behind Gatekeeper version 7.0.1. Keycloak is also at v 7.0.1.

The initial login through gk/kc works fine. My webapp gets the kc-access and kc-state cookies set and the gatekeeper /oauth/token endpoint gives me a good jwt.
Now, when the token expires, i cant get it to refresh.

I do check the /oauth/expired endpoint on gatekeeper periodically (in my development environment its every 30secs) for a 401 return code.
After i get an 401, i access a file in my webapp through an ajax call. This is to force gatekeeper to attempt to refresh the token.

Accessing that file works fine and gatekeeper logs “injecting the refreshed access token cookie”, but i was also expecting a set-cookie header which would give me the updated cookie.

Isnt that how the enable-refresh-tokens config in gatekeeper is supposed to work, or did i get something wrong?

If iam wrong, what is the right way to do a silent token refresh?

– Sebastian


In case anyone runs into the same problem:

I found an issue in the official Jira board which in part describes my problem. [KEYCLOAK-11077]

Also, there is an open pull request here to fix those issues.

Were you able to solve this issue? If I understood you correctly the refresh token doesn’t work properly on xhr requests. I’m having the same issue. The kc-access and kc-state are not updated if the refresh happens from xhr requests.