I'm trying to retrieve a offline_token from keycloak (version 19) from command line but I always obtain an access_token based on my expiration default time (300 secons).
I've read the Keycloak official documentation without no success. I add to the user the offline_access role and the same client scope (offline_access, default .ode) to the client that I try to obtain the offline access token. When I retrive it appears a line in a consent section on the user profile but with no grants, so I suspect that I'm missing some step or configuration.
My code is:
curl --location --request POST http://localhost:8080/realms/adnetwork/protocol/openid-connect/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id=someclientid' \
--data-urlencode 'client_secret=someclientsecret' \
--data-urlencode 'scope=openid offline_access' \
--data-urlencode 'username=someuser' \
--data-urlencode 'password=somepass'
After this call, I take the access_token field but it expires in the next 5 minutes.
Thanks in advance
The access_token won't be the offline token. It's the refresh token which will be the actual offline-token. An offline-token doesn't have the exp claim.
With the offline-token, a (confidential!) client will be able to get a valid access_token for this user at any time, even when the user is not online (= offline), thus the name.