Shouldn't Keycloak reject auth-cookie after SSO idle timeout?

I was expecting that a request to the OIDC auth endpoint containing the Keycloak Auth cookies, which was received after the SSO idle timeout, would not be automatically authenticated. But this seems to be the case.

Here’s our setup:

Here’s our scenario:

  • User requests webapp
  • oauth2-proxy intercepts request, performs OAuth code flow, stores access and ID tokens and issues a session cookie to user agent
  • oauth2-proxy is configured to refresh tokens every minute.
  • Keycloak is configured with SSO idle timeout of 2 minutes.
  • After idle timeout of >2 Minutes, user requests webapp’s resources again
  • oauth-proxy tries to refresh token at Keycloak token endpoint, but doesn’t succeed (correctly, since idle timeout has passed and session is therefore invalid)
  • oauth-proxy redirects call to Keycloak auth endpoint
  • Keycloak now doesn’t respond with login page, but redirects directly to app’s /callback-endpoint with a valid auth code.
  • Keycloak (DEBUG) logs show:
    • […] invoke authenticator.authenticate: auth-cookie
    • […] authenticator SUCCESS: auth-cookie

Is this intended behaviour?

I was under the impression that after the SSO timeout has passed, the user would be required to log in again via the login form.