Hi all,
in our code, we are using the Admin Rest Api to handle user login.
in the first login, we are sending the user credentials and using the password grant type to get a valid access token.
but after that, whenever the access token is about to be expired (in our case 5 minutes) we are using the client_credentials grant type to generate a new access token.
I’m not an expert but it seems to me, that unlike working with refresh tokens, this way to generate a new access token can last forever and it’s not bound by any value from KC configuration.
Am I right?
I tried to play around with SSO Session Idle/Max and Client Session Idle/Max values (both on realm and client level) but it seems to have no impact.
Hello, as I said here : Trying to understand access token use - #3 by regilero you can use this grant type to connect with service accounts. So instead of using a ‘user’ credential you should use the client_id/client secret if this client has the ‘service account’ enabled.
You can use it to get the first token (dop not start with password grant type), and to get a new one every time it’s expired. In this mode Keycloak will never send a refresh token because the refresh token system is made to maintain a connection where you used client credentials at first and has you should never store user credentials you do not have it later. So the refresh_token system is made to refresh acess tokens when using user credentials. But for B-to-B API connection you should not use user credentials, use service accounts, it means you use static credentials (client_id/client secrets) which does not depends on a user.
Now if your API conenction is really based on a password grant type, and you want to get different access levels on the rest API depending on the user, which is a rare case. You could start with password grant type, but after expiration you shoudl ake for new access_tokens using the refresh_token from the first response.