How to refresh bearer token ?

159 views
Skip to first unread message

Navin Kaushik

unread,
Jan 12, 2021, 6:18:59 AM1/12/21
to Keycloak User
Problem Statement: Our application is installed on end user machine and having offline JWT token containing access token & refresh token.  Now access token is sent to API server as bearer token and when access token is expired, which is not refreshed by keycloak java adapter automatically (ofcourse as it doesn't have refresh token).  We can't do refresh on the client side as it's not confidential.

Question: How can backend (like keycloak java adapter) do the refresh in case of bearer token ?


Tony Harris

unread,
Jan 12, 2021, 10:05:18 AM1/12/21
to Navin Kaushik, Keycloak User
What makes you think you cannot refresh the token from the client side of a public client?
An HTTP Post to auth/realms/{realmName}/protocol/openid-connect/token
With x-www-form-urlencoded body containing
grant-type=refresh_token
client_id={yourClientId}
refresh_token={your refresh token}

Will do the job, don't forget to update your refresh token with the one you get from this call or you will find yourself unable to refresh once your max session idle time expires.

Tony

On Tue, Jan 12, 2021 at 11:19 AM Navin Kaushik <navink...@gmail.com> wrote:
Problem Statement: Our application is installed on end user machine and having offline JWT token containing access token & refresh token.  Now access token is sent to API server as bearer token and when access token is expired, which is not refreshed by keycloak java adapter automatically (ofcourse as it doesn't have refresh token).  We can't do refresh on the client side as it's not confidential.

Question: How can backend (like keycloak java adapter) do the refresh in case of bearer token ?


--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/2c3142e8-980e-48a9-9bcb-3f9bee4f872fn%40googlegroups.com.

Navin Kaushik

unread,
Jan 12, 2021, 12:39:21 PM1/12/21
to Keycloak User
Thanks Tony for quick response.  Actually, I was just wondering if it is fine from security perspective to call refresh from hostile environment but looks like it is threat level is equivalent to getting token from SPA.  
Reply all
Reply to author
Forward
0 new messages