2

I am currently designing a native mobile application that require user authentication and authorization to connect to a REST API. Keycloak will be used as IAM tool and tokens will be JWT.

I don't want the user to login every time he opens the app, so I am wondering which is the best way of handling a long-lived session for this use case.

I am considering two options:

Option 1: Store encrypted user credentials and set up short lived access token/refresh token.

  • When access token and refresh token have expired, perform background login using stored credentials and retrieve new access and refresh tokens
  • Storing the user credentials in Android/IOS might be a risk even if they are encrypted and hashed

Option 2: Store refresh token with no (or very long) expiration date

  • Token revocation is required so this would require to store every token in back-end.
  • Token with no expiration date looks risky too.

Which option is more secure?

Improve this question

1 Answer 1

Reset to default
1

Keycloak supports offline sessions, via the offline_access this must be granted on the client), which allows you to create long lived refresh tokens that can be stored in the app. You can configure how long these are valid, for instance a month. If the user opens the app more rarely than that, you can prompt for credentials.

This gives you an openid connect compliant way to keep mobile apps logged in for a long time.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .