Two thigs to keep always in mind:
- A refresh token can never last longer than the keycloak session.
- An access token can never last longer than a refresh token.
Therefore, you must make sure that:
- The “SSO Session Idle” and the “SSO Session Max” have an equal or greater value than “Client Session Idle” and “Client Session Max”.
- “Client Session Idle” and “Client Session Max” have an equal or greater value than “Access Token Lifespan”.