diff --git a/CHANGELOG.md b/CHANGELOG.md
index d2b4229a2e5bb03686c22c00526ac4618474803d..c4bcd5cfaadd1f14d11b8759a11b3a6a22a9ac0f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,5 @@
 
-#### **2.0.0 (unreleased or in master)**
+#### **2.0.0**
 
 FEATURES:
  * Adding the --skip-openid-provider-tls-verify option to bypass the TLS verification for Idp [#PR147](https://github.com/gambol99/keycloak-proxy/pull/147)
@@ -19,7 +19,7 @@ BREAKING CHANGES:
  * Changed the command line options scope -> scopes
  * Changed the command line options log-json-format -> json-format
  * Changed the command line options resource -> resources
- * Changed the command line options tags -> tags 
+ * Changed the command line options tags -> tags
 
 #### **1.2.8**
 
diff --git a/doc.go b/doc.go
index a833f6f640c4da75ae91a9b652848212fc9ecbfc..6811ee0984495562e2799a3769e702118cb6a77b 100644
--- a/doc.go
+++ b/doc.go
@@ -24,7 +24,7 @@ import (
 )
 
 var (
-	release = "v1.2.8"
+	release = "v2.0.0"
 	gitsha  = "no gitsha provided"
 	version = release + " (git+sha: " + gitsha + ")"
 )
diff --git a/handlers.go b/handlers.go
index 04b62e8b54fc549ab95dd49961128de0cdb4fb82..910cf84f0f18eabfdb68d812d72f233c4bce34f6 100644
--- a/handlers.go
+++ b/handlers.go
@@ -169,9 +169,15 @@ func (r *oauthProxy) oauthCallbackHandler(cx *gin.Context) {
 					"error": err.Error(),
 				}).Warnf("failed to save the refresh token in the store")
 			}
+			// step: get expiration of the refresh token if we can
+			_, ident, err := parseToken(response.RefreshToken)
+			if err != nil {
+				r.dropAccessTokenCookie(cx, session.Encode(), time.Duration(72)*time.Hour)
+			} else {
+				r.dropAccessTokenCookie(cx, session.Encode(), ident.ExpiresAt.Sub(time.Now()))
+			}
 		default:
-			// step: attempt to decode the refresh token (not all refresh tokens are jwt tokens;
-			// gooogle for instance.
+			// step: attempt to decode the refresh token (not all refresh tokens are jwt tokens; google for instance.
 			if _, ident, err := parseToken(response.RefreshToken); err != nil {
 				r.dropRefreshTokenCookie(cx, encrypted, time.Duration(72)*time.Hour)
 			} else {