Hello,
I have a problem that automatically refreshing a token (every 5 minutes) ALSO extends the current user session. This is fine. However, this behaviour makes the SSO Session Idle (30 minutes) time irrelevant since on every token refresh (with grant_type: refreh_token).
Example
- at 10:30 the user authenticates => last user access at 10:30. Token valid for 5 minutes
- at 10:35 the UI automatically refreshes the token => last user access at 10:35, new token valid for 5 minutes
- at 10:40 the UI automatically refreshes the token => last user access at 10:40, new token valid for 5 minutes.
This means: the SSO Session idle time is NEVER reached since Keycloak updates the âlast user accessâ to the time of the token refresh. Therefore, only SSO Session Max time is relevant.
However, I would expect that on a token refresh the âlast user accessâ is NOT updated. And, therefore the SSO Session idle time is reached after 30 minutes and the token cannot be refreshed.
Or formulated differently: How can we tell KeyCloak to differentiate between ârefresh tokenâ (which should not be interpreted as âuser is activeâ) and âsome action has happend to extend the session idle timeâ (which should be interpreted as âuser is activeâ)?
Or: Is our approach to pro-actively refresh the token every 5 minutes in the background the wrong way we are doing it?
Thanks Volker