This is a pure theorical question. I am at work to an Angular frontend part, which is in connection to Spring Boot Rest Service. The authorization process is via OAuth2 and it use a Keycloack server.
I have already implemented the part in my app which ask for an access token from Keycloak and I tried also to obtain it in Postman. All works correctly. Now, I have seen that in Postman I receive the Access Token, an expires_in value (and this both are clear), but also a refresh_token, a refresh_expires_in and a session_state. This 3 last values are for me not so clear. I am trying to understand those. So, until now, if I correctly understood:
1) My Angular frontend send the user credentials to the Auth server (Keycloack, in my case) in order to receive a token, which expires in a given time.
2) When my Angular Frontend request some service to the services backend, it sends the request itselfs (link, parameter and so on) and also the token.
3) The service backend check the token and give to my frontend the desired resource.
4) The access token could be renewed before the expiration, this is the purpose of the refresh token and refresh time.
Am I right until now? And now, I read some tutorial (also in Stack Overflow) but really I didn't understand how this 3 values above mentioned and the refresh system works. From a concrete point of view, how does it work?
1) The token expiration is not related to the session expiration. There are 2 different and indipendent concepts. Am I right?
2) Materially, how is the process for a token renewing and how and when it happens? Automatically each X second, or when the backend check that the token is valid, or at the time of each login, the renewing is triggered?
3) In order to renewing the access token, also the refresh token should be sent to the application server. Correct?
4) What is the purpose of the session_state I see in the token response via Postman?
I read several tutorial but I am yet a little bit confusing about some aspect. And, before implementing, I would perfectly understand the concepts.
There are a few stages in a session:
The main thing is to understand the messages - my visual write up may help you understand these - this write up is for a desktop app but messages are largely the same.
Out of interest, your Angular app should probably not use refresh tokens and use the SPA access token renewal solution instead.