Keycloak refresh token

Question

Keycloak refresh token

jstortoise opened this issue 5 years ago · 4 comments

I am using this plugin for my project and I have some issue with refresh token.

Describe the bug
How to refresh token using keycloak-admin-nodejs-client?

To Reproduce
Steps to reproduce the behavior:

Authorization

const kcAdmin = new KcAdminClient({
    baseUrl: config.KC_BASE_URL,
    realmName: config.KC_REALM_NAME
});
await kcAdmin.auth({
                username: "...",
                password: "...",
                grantType: "password",
                clientId: "...",
                clientSecret: "..."
});

Get access_token and refresh_token

access_token = kcAdmin.getAccessToken();
refresh_token = kcAdmin.refreshToken;

access_token has 1 hour lifespan and refresh_token has 1 day lifespan. Now, access_token is expired but refresh_token is still available now.

How to get refreshed token? I can get refresh token by using original Keycloak REST API but I'd like to get refresh token by using keycloak-admin.

Please someone help me to get refresh token.

I am sorry, I know this isn't bug but I don't know how to get help from you.

Answer 1 · 2019-09-11T18:23:15.000Z

If you're still looking for an answer you can check the README for the answer. Look for right below the line that says:

"To refresh the access token provided by Keycloak, an OpenID client like panva/node-openid-client can be used like this:"

Also, be aware that the refresh token may expire as well and in that case you would need re-authenticate (log in again) to get another refresh token (unless there's another way).

Answer 2 · 2019-09-17T18:56:25.000Z

@justintime4tea , thanks for your response.

Btw, is there any function to get refresh token instead of using another module (panva/node-openid-client) ?

Currently, I am using original keycloak rest api.

POST https://<keycloak.domain>/realms/master/protocol/openid-connect/token

{
    headers: {
        'Content-Type': 'application/x-www-form-urlencoded'
    },
    body: {
        grant_type: 'refresh_token',
        client_id: <my_client_id>
        client_secret: <my_client_secret>
        refresh_token: <my_refresh_token>
    }
}

Is there any better way to get refresh token?
Also, is there any way to check token valid?

Answer 3 · 2019-12-02T08:16:51.000Z

@jstortoise I've made performed raw HTTP subsequent requests with content exactly like you descibed.

good: access_token has been updated

bad: expires_in and refresh_expires_in fields remains the same and after timeout errors like '400 " Refresh token expired"'

resume: it is not working as expected

solution: as far as you already have clientId/clientSecret, you can obtain access_token as for the first request(I am doing it in plain HTTP request with { grant_type: 'client_credentials',
client_id: keycloakCfg.clientId,
client_secret: keycloakCfg.clientSecret,
scope: 'openid'})

Answer 4 · 2020-05-29T10:57:39.000Z

For public clients (mobile, browsers,...) use code flow + PKCE always.
For confidential clients, use password flow in a controled private environment to impersonate users, otherwise use application flow (clientID+secret)
Never create timers to refresh tokens before it expires, just call refresh token before api operation calls: if refreshtoken not valid (expire) just login again, if token valid means tha a refresh was made.