We have an Angular SPA that is authorized by OIDC using the Implicit Flow. We use Keycloak as our authorization server. The Access Token has a short lifespan and is refreshed regularly via a hidden iframe.
After reading that the Authorization Code Flow + PKCE is the new recommended way to authorize SPA's, we decided to switch flows. Everything works fine, but Keycloak does give us a Refresh Token (along with Access and ID-Token) every time we call the Token-Endpoint. As there is no secure way to store the Refresh Token, we want to continue using the hidden iframe method for refreshing the access token.
Is there a way to disable refresh tokens in Keycloak? Or are we missing something? Is it OK to store Refresh Tokens in a SPA?
More recent versions of Keycloak have implemented this feature at the client level under the "OpenID Connect Compatibility Modes" section.
I've verified with version 14.x.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With