Keycloak admin REST API - create new access token with refresh token without recreating a refresh token #9239

sardounis · 2021-12-20T10:41:13Z

sardounis
Dec 20, 2021

I am trying to use Keycloak admin REST API to recreate an access token when I have a valid refresh token.

I have accomplished that, by invoking with POST /auth/realms/{realm}/protocol/openid-connect/token.

The problem is that the endpoint also returns a new refresh token each time. Is this the way a JWT authorisation flow should work?

I think the correct flow would be to only get a new access token when the auth endpoint is invoked, and when the refresh token expires, to sign in again to acquire a new refresh token; Not to get a new refresh token each time we query for a new access token.

Am I missing something here?

I have also posted this question at stack overflow.

bs-matil · 2021-12-20T11:50:12Z

bs-matil
Dec 20, 2021

First of all you mix up two things.
Open ID Connect Authentication with JWT and Oauth authorization tokens and refresh tokens.

This are two different objects.
You will get a new OAuth refresh token each time you obtain an access token. This is the way OAuth grants you a "endless session" but with the option to deny a new access token at any try of exchange.

Also see from RFC https://datatracker.ietf.org/doc/html/rfc6749#section-1.5

  +--------+                                           +---------------+
  |        |--(A)------- Authorization Grant --------->|               |
  |        |                                           |               |
  |        |<-(B)----------- Access Token -------------|               |
  |        |               & Refresh Token             |               |
  |        |                                           |               |
  |        |                            +----------+   |               |
  |        |--(C)---- Access Token ---->|          |   |               |
  |        |                            |          |   |               |
  |        |<-(D)- Protected Resource --| Resource |   | Authorization |
  | Client |                            |  Server  |   |     Server    |
  |        |--(E)---- Access Token ---->|          |   |               |
  |        |                            |          |   |               |
  |        |<-(F)- Invalid Token Error -|          |   |               |
  |        |                            +----------+   |               |
  |        |                                           |               |
  |        |--(G)----------- Refresh Token ----------->|               |
  |        |                                           |               |
  |        |<-(H)----------- Access Token -------------|               |
  +--------+           & Optional Refresh Token        +---------------+

               Figure 2: Refreshing an Expired Access Token

3 replies

sardounis Dec 20, 2021
Author

Thanks a lot for the response! Could you please clarify if there is an option at keycloak to avoid returning a refresh token when a query for an access token is made, In order to enforce logout? Or we should just avoid returning the new refresh token in subsequent calls to the consumer of our auth services which utilises keycloak? In other words the question is: How can we make the return of the refresh token optional - via a keycloak option or via our implementation?

bs-matil Dec 20, 2021

You will find the option to disable it in the client settings in section OpenID Connect Compatibility Modes
Expand this section to configure settings for backwards compatibility with older OpenID Connect / OAuth2 adapters. It is useful especially if your client uses older version of Keycloak / RH-SSO adapter.

bs-matil Dec 20, 2021

@sardounis would be nice if you close this issue by accepting the answer if its working for you.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Keycloak admin REST API - create new access token with refresh token without recreating a refresh token #9239

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Keycloak admin REST API - create new access token with refresh token without recreating a refresh token #9239

Uh oh!

sardounis Dec 20, 2021

Replies: 1 comment · 3 replies

Uh oh!

bs-matil Dec 20, 2021

Uh oh!

sardounis Dec 20, 2021 Author

Uh oh!

bs-matil Dec 20, 2021

Uh oh!

bs-matil Dec 20, 2021

sardounis
Dec 20, 2021

Replies: 1 comment 3 replies

bs-matil
Dec 20, 2021

sardounis Dec 20, 2021
Author