Reputation: 521
Disable Refresh Token in Keycloak
We have an Angular SPA that is authorized by OIDC using the Implicit Flow. We use Keycloak as our authorization server. The Access Token has a short lifespan and is refreshed regularly via a hidden iframe.
After reading that the Authorization Code Flow + PKCE is the new recommended way to authorize SPA's, we decided to switch flows. Everything works fine, but Keycloak does give us a Refresh Token (along with Access and ID-Token) every time we call the Token-Endpoint. As there is no secure way to store the Refresh Token, we want to continue using the hidden iframe method for refreshing the access token.
Is there a way to disable refresh tokens in Keycloak? Or are we missing something? Is it OK to store Refresh Tokens in a SPA?
Upvotes: 8
Views: 6405
Answers (2)
Reputation: 1387
More recent versions of Keycloak have implemented this feature at the client level under the "OpenID Connect Compatibility Modes" section.
I've verified with version 14.x.
Upvotes: 2
Reputation: 2006
As see from Keycloak's source code it still does not provide a way to disable issuing of refresh token during authentication code flow. Unfortunately you should keep going to use implicit grant flow since refresh token stored on the client side is a big flaw.
Upvotes: 0
Related Questions
- Refresh access_token via refresh_token in Keycloak
- [OAuth][Keycloak] invalid_grant session not active when trying to use refresh_token
- Keycloak client credentials grant type with refresh token
- Keycloak only gets Google refresh token on first login
- Keycloak Offline Access token with 'refresh_token' grant_type
- Keycloak Refresh token not of type Offline
- How to specify refresh tokens lifespan in Keycloak
- How to remove refresh token from OAuth call in RC
- Refresh token with Keycloak
- Getting offline token alongside refresh token