Three primary layers of managing user access in keycloak

Keycloak User session Keycloak access token

LayerSetting NamePurposeWhat happens when expired
TokenAccess Token LifespanTemporary proof of identity for APIsAPI returns 401. Client must use a refresh token to get a new one.
Idle SessionSSO Session IdleTracks user inactivity (no token refreshes)Refresh tokens no longer work. User must log in with credentials
Max SessionSSO Session MaxHard limit on session durationSession is killed regardless of activity. User must log in again.
Tags