Hi all,
I’m using Spring application configured for Keycloak oauth authentication.
I’m having an issue with the realm token timeout configurations. Namely, my “SSO Session idle” parameter is configured for 2 minutes.
As far as I understand, the expected behaviour would be: If the user is inactive, then after 2 (two) minutes the session should get invalidated in Keycloak, so that after refreshing of the resource page, the user should be redirected to the login page.
However, I do not observe this behaviour after 2 minutes being inactively authenticated. Namely, I can observe that the related session in keycloak client/sessions, and/or the realm sessions is still active. If a refresh my current application page I’m redirected to again to it without need to re-authenticate.
The session gets invalidated after more than 8 minutes.
Could somebody please explain to me what do I miss in my KC configuration or eventually what do I miss in my understanding in how KC user sessons work?
The session after 2,3,4 minutes:
