Automatic logout of security admin console on SSO session idle timeout doesn't work?


Keycloak 11.0.2 security admin console UI doesn’t seem to automatically log out and redirect the user to the login page after the SSO session idle timeout is reached.

Has this feature ever existed or does this look like a bug? or the correct way to configure this?

Steps to reproduce:

  1. Set a low SSO Session idle timeout. E.g. 2 mins
  2. Wait for 2 mins (+ extra 2 mins as there is a small timeout buffer).
  3. Expect automatic logout to happen and redirect the user to the login page.
    Instead, the UI gets redirected to the login page only after I click some link.

The impact is that the security admin console UI will be exposed on the browser till someone clicks a link, which may expose some data, e.g. list of usernames, or client secret, etc.

Any thoughts?