Now that openid SSO works in Axelor 7, we find that it doesn’t handle access-token refreshes properly.
While working within a page, changing fields etc, many API calls get made. If the access token provided by the SSO expires and needs a refresh, elements of the page stop working (as the API calls return http code 401 Unauthorized). Doing a page refresh can solve it, though sometimes it completely flicks back to the SSO login page and back to Axelor. Besides the inconvenience, you also lose the data entered.
SSO access token refresh doesn’t cause an issue for our other applications.
I wonder if this is the kind of thing we want: the app refresh the token a certain time before it expires
From pac4j side of things, TokenExpirationAdvance ? pac4j: security for Java
From Java side I also see: Securing Applications and Services Guide
token-minimum-time-to-live:
Amount of time, in seconds, to preemptively refresh an active access token with the Keycloak server before it expires. This is especially useful when the access token is sent to another REST client where it could expire before being evaluated. This value should never exceed the realm’s access token lifespan. The default value is 0 seconds, so adapter will refresh access token just if it’s expired.