It would be also nice to expand the updateToken() function to also support the implicit flow. Currently it works only with a standard flow. It is recommended to use implicit flow with public clients such as and Angular SPA. Using implicit flow prevents keeping refresh token in a public application.
Silent refresh is usually implemented by the hidden iframe trick as is done in this library (https://manfredsteyer.github.io/angular-oauth2-oidc/angular-oauth2-oidc/docs/additional-documentation/refreshing-a-token-(silent-refresh).html). Auth0 also has an implementation for this and their code is also MIT licensed. (https://auth0.github.io/auth0.js/global.html#renewAuth)
Excellent @marcelnem!
Let's ship this in the next version as we already talked.
Does this address the symptom where there's what appears as a temporary redirect before the page is authenticated?
Each time my user refreshes an app - they temporarily see the current route change to
.../foo#state=745282f8-0d38-4002-....
Just for your information:
There's currently a PR in the Keycloak project, adding silent refresh for implicit flow to the keycloak.js adapter: https://github.com/keycloak/keycloak/pull/5932
Great to know @dasniko! Nice job!
@mauriciovigolo any updates on this ? Refresh token not works in any kind.
@devansvd @mauriciovigolo The new Best Practice is that the code grant with PKCE should be used instead of implicit grant for Single Page Applications.
see discussion here to learn why:
https://github.com/keycloak/keycloak/pull/5932#issuecomment-492713356
PKCE support for Keycloak JS adapter should be developed soon. See this PR:
https://github.com/keycloak/keycloak/pull/6047
I totally see, that code grant with PKCE is more secure than the implicit flow.
But still one needs to refresh the access token.
And keeping the refresh token client side in the browser is still not secure (-> Browser Extensions!) as there is no support of token binding yet.
So I think the most secure solution at the moment would be Code grant with PKCE and token renewal with iframe silent refresh.
-> I think silent refresh is still needed.
I'm going to go ahead an see if we can get this implemented now considering keycloak-js should have this functionality. It's still unclear to me how this should be implemented so I am going to do some research, if anyone has some insights feel free to share them.
Looks like the required method checkSsoSilently (see here) is not exported from Keycloak JS. Meaning we will have to implement it here or make a PR to export this method.
keycloak-js doesn't have the option to refresh tokens silently when having implict flow. The checkSsoSilently option is just for checking the SSO state initially when accessing the site through an iframe and avoiding a useless redirect of the whole page.
Exactly, it would have to be implemented there first in order for this to work. Although I believe if I am not mistaken that checkSsoSilently could be executed again (if exposed) after the token expires in order to 'refresh' the session.
There is a onTokenExpired hook you can use to refresh tokens if you want to.

@marcelnem @mauriciovigolo totally agree. code with pkce is the recommended approach now a days. https://devansvd.com/oauth/#authorization-code-grant-with-pkce
Closing this as the code grant flow is now the recommended standard and these changes will need to be made in keycloak-js and not Keycloak Angular.
Most helpful comment
I totally see, that code grant with PKCE is more secure than the implicit flow.
But still one needs to refresh the access token.
And keeping the refresh token client side in the browser is still not secure (-> Browser Extensions!) as there is no support of token binding yet.
So I think the most secure solution at the moment would be Code grant with PKCE and token renewal with iframe silent refresh.
-> I think silent refresh is still needed.