Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Disable Refresh Token in Keycloak

We have an Angular SPA that is authorized by OIDC using the Implicit Flow. We use Keycloak as our authorization server. The Access Token has a short lifespan and is refreshed regularly via a hidden iframe.

After reading that the Authorization Code Flow + PKCE is the new recommended way to authorize SPA's, we decided to switch flows. Everything works fine, but Keycloak does give us a Refresh Token (along with Access and ID-Token) every time we call the Token-Endpoint. As there is no secure way to store the Refresh Token, we want to continue using the hidden iframe method for refreshing the access token.

Is there a way to disable refresh tokens in Keycloak? Or are we missing something? Is it OK to store Refresh Tokens in a SPA?

like image 821
tobiso Avatar asked May 15 '20 09:05

tobiso


1 Answers

More recent versions of Keycloak have implemented this feature at the client level under the "OpenID Connect Compatibility Modes" section.

I've verified with version 14.x.

like image 57
juliaaano Avatar answered Nov 03 '22 09:11

juliaaano