Why Keycloak Refresh token does not work?

We work with keycloak 14.0.0 and our realm settings für Tokens looks like as follows:

We use a keycloak public client as front end to work with the applications. This client has under “advanced settings” in keycloak the parameters:
Access Token Lifespan=3 Minutes, Client Session Idle=30 Minutes
The other fields are left empty

We tried lot of things but refresh token does not work. Could somebody tell me, what is wrong?
Thank you

How did you prove that? BTW: you have Revoke Refresh Token: ON - it means that the offline token once used will be immediately revoked = it means that refresh tokens have a one time use only

Das is right. I forget to write, that under “OpenID Connect Compatibility ModesOpenID Connect Compatibility Modes” from the client, the parameter Use Refresh Tokens = ON
From the keycloak 12.0.4 documentation, i read that Revoke Refresh Token : ON was set because of performance issue. So we leave it unchanged.
Thank you

I mean this link:

¯\(ツ)/¯ good question should provide How to create a Minimal, Reproducible Example - Help Center - Stack Overflow Authentication topic is huge and I really don’t know what and how are doing ¯\(ツ)/¯. So again: How did you prove that refresh token does not work? It is not generated, it is not valid, it has unexpected form, it is not working only for some flows, …?

Please save time and provide reproducible example otherwise it is a guess game. Unfortunately, there is no many people with the time to play guess game what is wrong on your side.


Sorry for your time.
Hier is the code we use for refresh token in our front end. Call to keycloak.updateToken() works correctly and repeatedly, it could refresh from one time to 50 or more in a row, but sometimes it never refreshes or unexpectedly fails after few successfully refreshes (so the code in catch is executed)

Failure looks like:

Thank you!

You have answer there - check the response body and Keycloak server logs for this particular request.

@Tiekisse_ami Why would you always refresh the token automatically on the frontend without the user still needing it? This way the user is going to stay logged in even if he is no longer there.

@Edewit: Thank you for replying. I was on holiday and could not answer to your question. Without automatic refresh, the user are logged out even though if they are working. So data which are not save went lost. Client session idle time is set and we believe that the refresh does not work, if the user are not working. Is das not correct?

@Tiekisse_ami right now you are waiting on an event to trigger and then you renew this way you don’t know if the user is still actively using your application. Better would be that every time you do a request to the backend you check if the token is still valid and renew it.

@edewit: Yes, checking and refreshing the token only when then user is active could be an option but in our case he could simply be working without making a backend request and we want to refresh when the event from keycloak-js onTokenExpired fires.
when the event fires we check again and we use keycloack.update from keycloack-js to refresh it. It usually works well and refresh several times but sometimes the refresh fails.

Okay, but that means once a user is logged in he is never logged out due to inactivity. If your app is not using the token why would you need to refresh it? Normally people refresh the token when they are doing a backend call, trying to keep the token valid like you are doing is not the way to do it.

Hello, I’m working on this feature too, onTokenExpired.
I have the same case that @Tiekisse_ami.
And I understand your point @edewit, but our clients complain that they don’t like to be working on our app and from nowhere the app log out.

Hi @PauloJorgeS , I have the same Issue, Have you found a solution or workaround?


I am trying to integrate two system having having different user. So I have created 2 open id clients, one for each system.
But When user is moved from System A to System B, System B is not able to refresh token generated by System A (using its own client). Even though both are able to validate token under same realm. Did you face this issue before ? Looking forward to hear from you.

Note : Both the system are in same realm.

@prashankjauhari are you doing it from admin console or programmatically through kc SDK ?

I am doing it through open id token end point with grant type as refresh token. We are using direct grant flow.

End point http://localhost:8081/realms/SELFCARE/protocol/openid-connect/token/

In keycloak source code i can see following code

        if (!client.getClientId().equals(refreshToken.getIssuedFor())) {
            throw new OAuthErrorException(OAuthErrorException.INVALID_GRANT, "Invalid refresh token. Token client and authorized client don't match");

So client within same realm can not use refresh token. But they can validate access token generated by some other client within same realm.

Hello @PauloJorgeS
Did you find a solution? The same happens to me.
I use react and create a component CheckStatusToken which is displayed in the application header and notifies the user when they have 5 minutes left before the application closes.
I check keycloak.tokenParsed.exp