Skip to content

Session Refresh

Understand how the portal keeps you signed in during a long working session. Short-lived access tokens are renewed silently in the background using the Keycloak refresh token, so you stay authenticated without re-entering credentials.

  • Prerequisites: An active signed-in session (see Sign in).
  • Required role/permission: None — refresh applies to every session.
  • Settings that affect behavior:
    • Access-token lifetime (Keycloak realm) — how often a silent refresh is needed; a short lifetime means more frequent background refreshes.
    • Refresh-token / SSO session lifetime (Keycloak realm) — the hard ceiling. Once the refresh token expires you are forced back to sign-in regardless of activity.
    • Idle timeout — if the realm enforces an idle/inactivity timeout, a session with no activity stops refreshing and is ended.
  1. Sign in and begin working in the portal.
  2. As you work, the portal silently exchanges the refresh token for a new access token before the current one expires — no prompt, no interruption.
  3. Continued activity keeps the session alive up to the refresh-token / SSO session limit.
  4. When the refresh token finally expires (or an idle timeout fires), the next protected request fails and the portal redirects you to the Keycloak login page to re-authenticate.

No captured steps yet. Run make regenerate-flows after a portal-e2e:docflow pipeline run produces docflow-output/session-refresh.json.