Understanding access token lifespan

We’re in the need of issuing access tokens with a longer lifespan than desired, for a legacy CLI application. We’re using the admin-cli client and for obtaining the token we’re using the Resource Owner Credentials flow, using the following request:

POST https://keycloak/auth/realms/myrealm/protocol/openid-connect/token
Accept: application/json
Content-Type: application/x-www-form-urlencoded

grant_type=password&client_id=admin-cli&username=user&password=password

In order to have that longer lifespan, we have set “Access Token Lifespan” under the admin-cli advanced settings to 70 minutes.

Those tokens work for interacting with the REST API without any problems until hitting the 30/35 minutes since token issuing. After that, we’re constantly getting 401 Unauthorized errors.

What are we missing in understanding how the “Access Token Lifespan” works? Any other setting that might be getting in our way?

Thanks in advance.

When retrieving an access token, can you check if its lifetime is actually set to 70 minutes?
I know that in some cases the realm settings mess things up.

Hi Flo, thanks for replying.

The token has a lifetime set of 70 minutes, that was our first thing to check for.

I did a clean installation of keycloak locally and only set the lifespan to 70 minutes. It works as expected and only returns a 401 after those 70 minutes.
Maybe you can setup your own local keycloak installation and change one setting at a time until you can either reproduce the issue or you’ve fully copied your production settings.