Tokens in Keycloak
- Access token
- Shortlived (1-5 minutes)
- authentication to REST services
- ID Token
- Refresh token
- longlived (30 minutes or more)
- refreshing access tokens
Offline token
- Refresh token, which never expires
- Issued when scope=offline_access parameter used
- Can be used by client (application) even if user not logged
Revocation
- Offline token not invalidated during user logout
- Revoked in account management or by admin