We have a need for two clients to have two different max session expirations and are running into an issue with this with the KEYCLOAK_SESSION cookie expiry. Client A (used for api access) requires a longer 90 day session expiration while Client B requires a session max of 1 day (web access). We are required to set the realm SSO session max to the largest value our clients need, so 90 days. When we override Client B through Advanced Settings → Client Session Max, this does not seem to affect the KEYCLOAK_SESSION cookie expiration that is set. So we run into the following scenario:
Since the keycloak login page detects a valid KEYCLOAK_SESSION cookie the login process is kicked off, and it’s not until we exchange the authorization code for the access token and check the expiration on the access token that we can determine that their session is now invalid. This presents a problem as there’s a significant delay for this exchange before we’re able to determine they don’t have a valid session and have to redirect them to login.
Is there any configuration we are missing that can solve this scenario, or is this a bug that needs to be addressed?