search

ivangfr / springboot-react-keycloak

The goal of this project is to secure movies-app using Keycloak (with PKCE). movies-app consists of two applications: one is a Spring Boot Rest API called movies-api and another is a React application called movies-ui.
398 stars 156 forks source link

refresh token #11

Closed frhack closed 1 year ago

frhack commented 1 year ago

Is "refresh token" supported ?

thanks

ivangfr commented 1 year ago

Hi @frhack Good question!

I've checked the settings of the company-services Realm that the app creates. You can find it in Realm setting menu -> Tokens tab. There is a Refresh token toggle button.

Screenshot 2022-11-02 at 15 18 37

In my app, it is disabled (by default). I haven't explored much about it, as I am using access tokens.

frhack commented 1 year ago

Hi @frhack Good question! ... In my app, it is disabled (by default). I haven't explored much about it, as I am using access tokens.

Thanks for the answer.

The toggle you show is for "Revoke Refresh Token" (to enable revocation of the refresh token), not to enable "Refresh token" So it seams that the refresh token is already enabled in Keycloack.

Refresh token is not an alternative to the Access token: it works in conjuction with the access token

An OAuth Refresh Token is a string that the OAuth client can use to get a new access token without the user's interaction.

It's very useful to improve security.

Thanks to the refresh token, we can use very short lived access tokens, and refresh it trasparently

https://auth0.com/learn/refresh-tokens

ivangfr commented 1 year ago

Cool, thanks for the detailed explanation.

Yes, it seems that refresh token is already enabled in Keycloak.