this is not a Keycloak strictly related question, but still it involves keycloak.
In the documentation of GitHub - manfredsteyer/angular-oauth2-oidc: Support for OAuth 2 and OpenId Connect (OIDC) in Angular., it is written that, in order to obtain a refresh token, the offline_access scope is mandatory (angular-oauth2-oidc)
Now it seems to me that Keycloak always sends a refresh token and also I could not find this requirements in the openid specs as well as in the oauth 2.0 specs.
An “offline access token” is a type of refresh token. From the docs:
Offline access is a feature described in OpenID Connect specification . The idea is that during login, your client application will request an Offline token instead of a classic Refresh token. The application can save this offline token in a database or on disk and can use it later even if user is logged out. This is useful if your application needs to do some “offline” actions on behalf of user even when the user is not online. An example is a periodic backup of some data every night.
Why that library requires it is not clear to me, as a “classic Refresh token” should work fine.
As xgp was mentioning in the quote, the offline scope triggers storing the token in the Keycloak storage. One thing to keep in mind, for instance, if your Keycloak instance or all of your Keycloak instances went down, that refresh token is still valid. If you use the classic RT, in the same scenario as described before, that RT will become invalid. This is something that is critical for some business units.
Thank you both for your answers.
I agree, the use case of recovery is important.
Still I found it strange that the requirement of that library where it seems that the offline_access scope is a requirement.
Another thing that is not clear to me is if the keycloak session is renewed each time the refresh token is asked. I was checking the documentation of another product, OKTA, and it seems this is exactly the use case they cover with the offline_access code.
Usually, developers don’t have a clear understanding of IAM standards such as OAuth 2.0 or OpenID Connect and each IdP implementation has its own particularities. This is when the IAM architect typically helps to clarify things
Whenever a refresh token is used to get an access token, Keycloak automatically generates a new refresh token and send it back with the requested access token. That is how the session is renewed so that the session duration configuration is enforced. However, it is up to the application developper to replace old the refresh token with the newly generated one. The old refresh token stays valid, and will expires at the expiry time set in the exp claims of the token, regardless of the last time it was used.