Token refresh extends user session

I have a problem that automatically refreshing a token (every 5 minutes) ALSO extends the current user session. This is fine. However, this behaviour makes the SSO Session Idle (30 minutes) time irrelevant since on every token refresh (with grant_type: refreh_token).

  • at 10:30 the user authenticates => last user access at 10:30. Token valid for 5 minutes
  • at 10:35 the UI automatically refreshes the token => last user access at 10:35, new token valid for 5 minutes
  • at 10:40 the UI automatically refreshes the token => last user access at 10:40, new token valid for 5 minutes.

This means: the SSO Session idle time is NEVER reached since Keycloak updates the “last user access” to the time of the token refresh. Therefore, only SSO Session Max time is relevant.

However, I would expect that on a token refresh the “last user access” is NOT updated. And, therefore the SSO Session idle time is reached after 30 minutes and the token cannot be refreshed.

Or formulated differently: How can we tell KeyCloak to differentiate between “refresh token” (which should not be interpreted as ‘user is active’) and “some action has happend to extend the session idle time” (which should be interpreted as ‘user is active’)?

Or: Is our approach to pro-actively refresh the token every 5 minutes in the background the wrong way we are doing it?

Thanks Volker

Correct, that’s not the proper way to go.
You should only refresh the token, if it is actually used. If the user just doesn’t do anything (e.g. no requests to the backend/resource servers), there’s no need to refresh the token.

1 Like

Cool Thanks.

And to follow up. Let us say

  • at 10:30 the user authenticates, refresh valid until 10:35. and SSO Session Idle time is 30 minutes
  • The user is idle
  • at 10:45 the user is active again.
    Now, what happens
    => our software shall retry to refresh a token
    => KeyCloak remarks that the refresh time has expired. Our software does NOT get a refreshed token
    => Then, our software must redirect to authentication
    => KeyCloak then determines, that the user has authenticated less then 30 minutes ago
    => KeyCloak grants a NEW token since SSO Session Idle time did NOT expire
    => the request to our software is being executed successfully with the new token


Thanks Volker

sounds legit to me :slight_smile:

And if the user takes a longer break than SSO Idle, the session will expire and upon redirection, the user has to re-authenticate with entering the credentials again.