Login/Register
Disable Refresh Token in Keycloak
Asked Answered
Solved oauth-2.0single-page-applicationkeycloakopenid-connect
B

2

8

We have an Angular SPA that is authorized by OIDC using the Implicit Flow. We use Keycloak as our authorization server. The Access Token has a short lifespan and is refreshed regularly via a hidden iframe.

After reading that the Authorization Code Flow + PKCE is the new recommended way to authorize SPA's, we decided to switch flows. Everything works fine, but Keycloak does give us a Refresh Token (along with Access and ID-Token) every time we call the Token-Endpoint. As there is no secure way to store the Refresh Token, we want to continue using the hidden iframe method for refreshing the access token.

Is there a way to disable refresh tokens in Keycloak? Or are we missing something? Is it OK to store Refresh Tokens in a SPA?

Barnet answered 15/5, 2020 at 9:19 Comment(4)
did you find out?Behan
I did not find out yet. We are still using a hidden iframe. I will definitely update this question as soon as i resolved this issue as some people seem to be interested in this. According to this post refresh tokens in SPA are fine as long as "Refresh Token Rotation" is used. I did not find such a feature in Keycloak.Barnet
Did you try to decrease refresh_token lifespan. For example - to 1 minute?Union
I believe that is possible in version 13.0.0. issues.redhat.com/browse/…Tide
A
2

More recent versions of Keycloak have implemented this feature at the client level under the "OpenID Connect Compatibility Modes" section.

I've verified with version 14.x.

Agonistic answered 16/11, 2021 at 5:22 Comment(0)
B
0

As see from Keycloak's source code it still does not provide a way to disable issuing of refresh token during authentication code flow. Unfortunately you should keep going to use implicit grant flow since refresh token stored on the client side is a big flaw.

Beryl answered 25/11, 2020 at 17:32 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.