Keycloak refresh token expiry is tied to SSO timeouts. If SSO Session Idle is set to 30 minutes, the refresh token will only work for 30 minutes. Session Idle can only be as large as Session Max, therefore the lowest of both is taken as the max refresh token life. How to specify the Refresh token expiry separately as we have for the access token? If the refresh token expires do we need to get another refresh token. Ideal refresh token expiry time?

A client application uses the refresh token to get a new access token without user interaction. It should do so before, or shortly after the access token expires. It will then receive a refresh token which is again valid for 30 minutes (Keycloak Session Idle Timeout). The client can repeat until the Session Max timespan is over.

As a client don't let the refresh token expire:

If the refresh token has expired, the client needs to direct the browser to the authorization endpoint. To prevent this, your application should use the refresh token when the access token gets invalid. Even better: Schedule a refresh for the time before the access token expires.

Scope offline access

As an alternative, the client could request scope "offline access". In this case, the refresh token lifetime is not bound to the SSO Session idle and Max settings. For details see https://www.keycloak.org/docs/latest/server_admin/index.html#_offline-access