Specified in draft-ietf-oauth-security-topics-13 section 4.12, refresh token rotation is becoming a vital part of using OIDC with SPAs. Auth0 supports it–does KeyCloak?
It should be possible to enable refresh token rotation through the option “Revoke Refresh Token” (please see https://www.keycloak.org/docs/latest/server_admin/#_timeouts).
Guys, I see this is not supporting all. It depends on the idle max session time. This will force all the refresh tokens to expire from the session’s creation date. We want to find a way to extend the refresh token based on the user’s activity each time the user is active.
So we can set the max idle session to 30 days but what we want to achieve each time the user is doing any activity within those 30 days the user will get a new 30 days validity for his refresh tokens, currently regardless how many refresh tokens you enabled you all of them will exires after 30 days because of your max idle session is 30 and it start counting from the session starting time.
There is no “idle max session” time. You are mixing things up.
There is the SSO session idle time and the SSO session max time.
The max time is the maximum time a session can live, there’s no way around. Period.
What you are looking for is the idle time. This will always be reset one the user interacts with the Keycloak server or a client refreshes a token.