Currently Keycloak generates 3 Tokens when refreshing an Access Token:
- new Refresh Token
- new Access Token
- new ID Token
Since the token generation is computationally expensive it would be helpful if one could disable the generation of the ID Token which is according to the OpenID Specs not necessary for the refresh Access Token response.
Upon successful validation of the Refresh Token, the response body is the Token Response of Section 220.127.116.11* except that it might not contain an id_token.*
Emphasis added by me.
Here is the discussion on the mailing list:
I'd propose to add a realm wide switch to the "Tokens" Configuration tab in the Realm-Settings of the Admin-Console which would then accessible via the RealmModel interface.