We’re in the need of issuing access tokens with a longer lifespan than desired, for a legacy CLI application. We’re using the admin-cli client and for obtaining the token we’re using the Resource Owner Credentials flow, using the following request:
POST https://keycloak/auth/realms/myrealm/protocol/openid-connect/token
Accept: application/json
Content-Type: application/x-www-form-urlencoded
grant_type=password&client_id=admin-cli&username=user&password=password
In order to have that longer lifespan, we have set “Access Token Lifespan” under the admin-cli advanced settings to 70 minutes.
Those tokens work for interacting with the REST API without any problems until hitting the 30/35 minutes since token issuing. After that, we’re constantly getting 401 Unauthorized errors.
What are we missing in understanding how the “Access Token Lifespan” works? Any other setting that might be getting in our way?
When retrieving an access token, can you check if its lifetime is actually set to 70 minutes?
I know that in some cases the realm settings mess things up.
I did a clean installation of keycloak locally and only set the lifespan to 70 minutes. It works as expected and only returns a 401 after those 70 minutes.
Maybe you can setup your own local keycloak installation and change one setting at a time until you can either reproduce the issue or you’ve fully copied your production settings.