How to force creating a new session in Keycloak to authenticate CLI apps using OIDC Protocol

Question

I have a webapp that uses Keycloak for user management and auth provider successfully.

The same application requires a CLI tool for some operations (similar to the gcloud CLI + web console).

I've implemented the CLI part using the OIDC Authorization Code Flow that opens the browser for the user to authenticate. It works like a charm.

However, if the user logoff from the browser, Keycloak will invalidate the session and the cli will have to re-authenticate to get a new access_token and refresh_token.

My question here is, how can I force the CLI app login to create a new session separate from the browser session.

Or, if not possible, what's the correct way of achieving this?

Answer 1

Eventually, found out that I just have to add the scope offline_access to the list of scopes I am requesting. Keycloak will then create a new offline session (bad name for the feature, Offline just means that the user doesn't have to be present, but all the refreshes happen the same way)

https://github.com/keycloak/keycloak-documentation/blob/main/server_admin/topics/sessions/offline.adoc