Refresh Tokens
The OpenID Connect Provider from BankID provides Refresh Tokens with claims as shown in the below table. The origin column indicates non-standard claims. Such claims are either added by Keycloak or the result of customization made by the OIDC Provider from BankID.
See session handling for the life-time of a refresh token. The purpose of Refresh Tokens is to enhance security by keeping the life-time of Access Tokens shorter. An expired Access Token can easily be replaced with a new Access Token (without any user interaction) via a Refresh Token that was issued along with the most recent Access Token, but that was issued with a longer life-time than the Access Token itself.
Note finally that the OIDC Provider form BankID supports signed Refresh Tokens in JWT format. The below table shows claims in the payload part of the JWT. Claims contained in the JWT header are not shown.
| Claim | Origin | Example | Description | Comment |
|---|---|---|---|---|
typ | Keycloak | Refresh | Token type | Either See scope |
| Standard | tinfo | See Access Token | |
auth_time | Standard | 1510497762 | See ID Token | |
azp | Standard | oidc_testclient | See ID Token | |
exp | Standard | 1510498063 | See session handling | |
iat | Standard | 1510497763 | See session handling | |
iss | Standard | <oidc-baseurl> | See ID Token | |
jti | Standard | 7f22fd6a-3d46-4d5a-ae56-6de3c53e1873 | See ID Token | |
nbf | Standard | 0 | See ID Token | |
nonce | Standard | <random value> | See ID Token | |
session_state | Keycloak | abf823c2-9810-4133-9369-7bff1223d6c1 | See ID Token | |
sub | Standard |
| See ID Token | |
realm_access | Keycloak | {"roles:["profile","address","phone","email","nnin_altsub","nnin"]} | See Access Token | |
resource_access | Keycloak | {"tinfo:{"roles ["address","phone_number", "email", "nnin"]}} | See Access Token | |