How to set a user or group specific session idle timeout in keycloak

Question

I have a Java project for which I am using keycloak for login/authentication.

I have defined a group level attribute in which we set session idle timeout for users in that group.

I want the users in that group to be logged out from the UI or end the user session after those mentioned minutes. For example, if group level attribute value is 5 minutes and realm level session idle timeout value is 30 minutes then user should be logged out after 5 minutes and not 30 minutes.

I want the realm sso session idle timeout to be overridden by respective group level attribute for all the users.

Not able to find a way since we cannot modify the keycloak code for my project.

I am Keycloak version 20.0.1

Tried manipulating lastAccessTime for session but it's not working because to end session before realm level setting we need to set a time which is in past so that keycloak ends session by default after realm sso idle time.

Answer 1

Maybe you can implement it in frontend like this:

1. Fetch your group-Level timeout attribute in your frontend app (e.g. from ID Token or backend API).

2. Monitor use activity in your frontend app to determine idle time (e.g. listen to mouse movements, clicks, and keyboard events).

3. When idle time exceeds group-Level timeout, redirect the browser to Keycloak Logout endpoint (/realms/{realm-name}/protocol/openid-connect/logout).