Why does multiple access tokens work in Keycloak?

Question

I'm checking out Keycloak and attempting to secure a REST service written in Springboot. I found a sample at Github and it worked. Question is once I obtain a new access token via refresh token, I still could use the old access token.

I configured the Springboot adapter for Keycloak and I tried setting the access token life to two minutes in Keycloak via web portal for the relevant client.

Is this behavior normal? any suggestions would be helpful.

Answer 1

In case of keycloak, it does not invalidate the previously issued access token. You can validate this by viewing the sessions tab:

In my case, I logged in with administrator_user from 2 different browsers and in turn I received 2 access_tokens, both of which were valid.

Since access token is a JWT , which is self contained, and has an expiry time field. It remains valid till the expiry time is reached.

One use case I can see behind this is when you want to use same user account on multiple devices. E.g. think of gmail (not that it uses keycloak but a generic example). When you login to the desktop gmail site, you don't want to be logged out of your mobile gmail app.

Answer 2

This behavior is perfectly normal.

Access tokens lasts till the expiration time which is set in the token. Access tokens are short lived and refresh tokens lives longer.

It does not matter - You can generate as many access tokens you want through the refresh token. All the tokens will work till their ttl is reached.