Session Refresh
Understand how the portal keeps you signed in during a long working session. Short-lived access tokens are renewed silently in the background using the Keycloak refresh token, so you stay authenticated without re-entering credentials.
Before you start
Section titled “Before you start”- Prerequisites: An active signed-in session (see Sign in).
- Required role/permission: None — refresh applies to every session.
- Settings that affect behavior:
- Access-token lifetime (Keycloak realm) — how often a silent refresh is needed; a short lifetime means more frequent background refreshes.
- Refresh-token / SSO session lifetime (Keycloak realm) — the hard ceiling. Once the refresh token expires you are forced back to sign-in regardless of activity.
- Idle timeout — if the realm enforces an idle/inactivity timeout, a session with no activity stops refreshing and is ended.
- Sign in and begin working in the portal.
- As you work, the portal silently exchanges the refresh token for a new access token before the current one expires — no prompt, no interruption.
- Continued activity keeps the session alive up to the refresh-token / SSO session limit.
- When the refresh token finally expires (or an idle timeout fires), the next protected request fails and the portal redirects you to the Keycloak login page to re-authenticate.
No captured steps yet. Run make regenerate-flows after a portal-e2e:docflow pipeline run produces docflow-output/session-refresh.json.