When KC returns the response with RPT token to the frontend client, the response contains also the refresh token. So refreshing of RPTs is possible.
However the keycloak-authz.js client doesn't have any support for automatically refreshing RPT token. I mean something similar, which is provided by keycloak.js itself (method "keycloak.updateToken" which automatically refreshes the token if needed). Due this limitation, it seems there is a bug in our quickstart.
When you try the quickstart "app-authz-uma-photoz" and you go through the flow like this:
- Open http://localhost:8080/photoz-html5-client and login as jdoe
- Create some album
- Wait 10 minutes (RPT expiration is same like AccessTokenLifespan, so 5
minutes by default)
- Try to create some album again - now fails with 403 due the RPT
expired and no support for refreshing it in the keycloak-authz.js or the