How to Automatically Rotate Refresh Tokens When Access Tokens Are Renewed in Keycloak?

Hello everyone,
I’m currently implementing authentication using Keycloak, and I have a question regarding token refresh behavior.

When the access token is renewed, is there any way to automatically rotate (or refresh) the refresh token at the same time?

In our setup:

• Access token lifetime: 1 hour

• Refresh token lifetime: 5 days

• Refresh token rotation: default behavior

The issue is:

Since the refresh token does not rotate automatically when the access token is refreshed, the user is forced back to the login screen as soon as the refresh token expires.
Because the access token is refreshed every hour, this means users are redirected to the login page right before the 120th renewal, when the refresh token hits its 5-day lifetime.

I’m looking for a way to keep the session alive (rotating the refresh token along with the access token), or any recommended configuration to avoid this forced login.

Any guidance or best practices would be greatly appreciated!

Thanks in advance.

The default behavior of Keycloak is to also issue a new refresh token on every refresh of the access token. So, you’ll get a new refresh token on every token refresh grant. You just have to use it.

If you use the new token and are still being forced to re-authenticate after 5 days, it’s probably your SSO session max setting, not the refresh token itself.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.