Session Expiration and Backchannel Logout


where are trying to secure an existing Struts 2 / JSP legacy application with Keycloak, integrating the app with Spring Security 5.x OIDC support.

Login and Logout works just fine, we have also setup a backchannel logout, so we can get notification if the session is killed, either from Keycloak or because the user logged in from another machine (with the “User Session Counter Limiter”)

the scenario we are currently investigating is the Keycloak session expiration from timeout due to inactivity (“SSO Session Idle”), it seems the backchannel logout is not triggered for the session expiration, is this correct ? is there some other way to get a notification to the app that the Keycloak session is expired ?

I think you are right that the session expiration does not trigger a backchannel logout request.

But this is expected, as the information about when the session will expire is in the token provided by keycloak at login.

Not sure how to configure spring security to use that information.