Question: security provider Bearer Token

[jxsl13]

Could someone explain to me how the bearer token security provider is supposed to work if the token expires after 5 minutes?

My understanding would be that the security provider should be passend a token url and depending on the grant_type, either a client_id and client_secret (which is used in case your token expired to fetch a new one in case no refresh_token is used) or for password grant type a username, password and a client_id (some public client w/o secret).

(coming from Keycloak)

[deepmap-marcinr]

You should be able to configure Keycloak to grant longer session tokens.

Your frontend application needs to deal with token expiration, because all it does is present the token to the API. The client ID and Client Secret are used by the API to prove its identity to the identity provider, and are required for login flows such as "authorization code". Other flows don't require those, such as implicit flow. Anyhow, your app needs to stay on top of keeping its token fresh, so it's better just to make longer ones, unless your session is extremely sensitive.

I'm not entirely sure of what you're asking.

[jxsl13]

My question targets the usage of the security provider (of this module) for bearer tokens. Do you create a security provider for every new jwt? as the constructor of the security provider expects a jwt that will seemingly expire in 5 minutes?

[jamietanna]

I'd recommend creating a new type which, instead of hardcoding the token in the security provider, it would perform validation of the JWT in the Intercept method, then it can be dynamic 👍