Oauth2 Flows

Authorization Code Flow (Standard Flow)

Redirect Based Access. Used on login via Browser.
first step pass a valid redirect uri, client_id
GET AUTHSERVERURL + protocol/openid-connect/auth?client_id=clientid&redirect_uri=redirecturi&response_type=code&scope=openid
then use the code returned as parameter to get the token with grant_type=authorization_code. AUTHSERVERURL + protocol/openid-connect/token
POST
grant_type: authorization_code
client_id: clientid
code: code
redirect_uri: redirecturi

Client Credentials (Service Account)

Service Account for Machine 2 Machine data exchange.
AUTHSERVERURL + protocol/openid-connect/token
POST
grant_type: client_credentials
client_id: clientid
client_secret: clientsecret

The client_credentials grant_type does not include a refresh token

Password Credentials ()

pass all infos and get the token directly AUTHSERVERURL + protocol/openid-connect/token
POST
grant_type: password
client_id: clientid
client_secret: clientsecret
username: username
password: password

Keycloak Token Lifespan

SSO Session Max > SSO Session Idle --> refresh token lifetime = SSO Session Idle
SSO Session Max <= SSO Session Idle --> refresh token lifetime = SSO Session Max

Client Session Idle and Client Session Max fields of the realm settings, which when NOT set are the same as SSO Session Idle and SSO Session Max, respectively.
If those values are set, in the context of the refresh token, they will override the values from SSO Session Idle and SSO Session Max, BUT only if they are lower than the values from SSO Session Idle and SSO Session Max.

Finally, the fields Client Session Idle and Client Session Max from the realm settings can be overwritten by the Client Session Idle and Client Session Max in the clients themselves, which will affect the refresh token lifespan for that client in particular.