Token not expiring when browser is closed

[shipswake]

We have a rather odd occurrence here

We are using refresh tokens to renew the token.

Steps to reproduce:

Set the token and refresh token lifetimes short (300)

Login

Close the browser

Wait until the token and refresh token have expired

Open the browser

The user is still logged in and there is no redirect

Any thoughts on what we have missed?

[zach-betz-hln]

@shipswake - if you tweak the token lifetimes in keycloak in the sample repo, are you able to reproduce it there as well?

[Badisi]

Could be the signin silent with the hidden iframe.
Even if your tokens have expired, if the user still has an opened session at the idp, this technic allows to contact the idp and get the user’s tokens using his session cookie

[shipswake]

Unable to reproduce with the sample repo
Any thoughts on what setting can cause this?