• When users successfully authenticate to the source configured in the Keycloak service, they will receive an authorization code. This authorization code can be exchanged for an access token. The access token is a token with a short lifespan, usually 5 to 15 minutes.

• Together with the access token a refresh token is retrieved. If the access token has expired, a new set of tokens can be retrieved by exchanging the refresh token to the Keycloak service.

• The refresh token is a longer-lived token, usually 8 hours from the first time the token set was generated.

• Both the access token and the refresh token are stored in the web server session.