SSO Session Idle: session is still active after expiration idle timeout

I am using Keycloak version 19. I am trying understand how SSO Session Idle working.
I have:
Token Lifespan: 1 minutes
SSO Session Timeout: 2 minutes
SSO Session Max: 10 hours

If I create session at for example 20:00 then I will have:
access_token expiration to 20:01
refresh_token expiration to 20:02.

Problem is session after 20:02 (user is inactive). It should be invalided but it is not. The session is still valid and I see session valid in administration console too. But the session will invalided next +5 minutes at 20:07.
What extends the session by additional 5 minutes?
I am not using cluster. Is there any cache time? What I need to set?

Thank you for tips

Keycloak is adding some more minutes to the session idle time to prevent possible collisions due to not fully synchronized time settings between servers. But IMHO there should only be 2 minutes added, not 5.

Yes, I read something about 2 minutes for any synchronization etc.
But I tested it and I have no 2 minutes but 5 minutes.
I am using PostgreSQL for database and LDAP as Identity provider.

But no where I can not find anything about 5 minutes syncing… Keycloak is running development mode.

It is seems resolved. I updated version of Keycloak from 19 to the lastest 21.
I set Session SSO Idle to 3 minutes and the session expired after 3 minutes + 2 minutes (keycloak synchro) = 5 minutes after inactivity. Hooray! :slight_smile:

It seems on any unknowed bug of Keycloak 19.

With Keycloak 21 started another problem with duplicated user from LDAP federation. But that will hopefully be resolved and it looks like just a cosmetic issue in the admin console.