SSO Idle Timeout


I have a nodejs app with a react front end. I want that if a user doesn’t do anything in the browser for a while he must be logged out. So I set the SSO Idle Timeout to 1 minute, for trying. But it doesn’t seem to work. I login to the app and just wait at the page, click on nothing, but even after more than 1 minute, when I refresh the page I am still logged in. How can I solve this?

Also I am leaving my express-session configuration in case it is related to it.


    name: config.SESSION_NAME,

    secret: config.SESSION_SECRET,

    resave: false,

    saveUninitialized: true,

    proxy: true,

    rolling: false,

    cookie: {

        expires: 2*60*60*1000  .


    store: memoryStore


UPsie guysss pls im gonna get fired unless i solve this by tomorrow

SSO Session Idle Timeout is the time that refresh_token has to refresh access_token, what is the configuration of access_token duration, in option Access Token Lifespan?

And I think that you have to implement a idle in your application, after X time idle, your app have to logout the sessioin.

Are you using the keycloak js libary? I think that some things like that are resolved on the library.

Access Token Lifespan is 5 minutes and SSO Session Idle is 30 minutes. Yes I am using the official nodejs adapter. If I have to do it on the server-side, how can I do it?

Remember, when you lower the SSO Idle Session, you have to lower the access token lifespan. You have to renew access token before session idle reached. Ex. SSO Idle Session is 1 minut, access token lifespan needs to lower than.

I have done that but doing that absolutely does nothing, it doesn’t log me out.

Do you still have your job? If so, do you still need help with this?

YEAH I KEPT MY JOB BUT I HAD TO DO SOME THINGS I REALLY DON’T WANT TO NAME. any help is still more than appreciated.

For a full logout, you need the user to visit the logout end point (/user/logout). You could you use a timeout to redirect them if there is no activity.

Hi maybe there are some callback events of keycloak adapter js that can help you to develop what you want, read the doc.
If you are using react wrapper I recommend you to read their doc too.

A solution would be to pass a callback when initializing the keycloak instance which set a timeout function to calculate the expiration and execute logout.

Can that determine inactivity? That makes sense though. @dominicdettabp

Is there a way to determine inactivity? or do you suggest that I reset the timer in every http request?

I would also do the latter. It’s on my backlog, but because I regularly poll for data it’s non-trivial for my use case. I use the endpoint to sign users out of multiple browser sessions.

Ok thanks a lot. Will give it a try.

As you already suggested I would reset the timer in every http request.