I am trying to setup a keycloak SSO with a Drupal project, and I am having some troubles with session expiration.
Keycloak has 2 type of sessions:
a user session associated to KEYCLOAK_SESSION cookie
a client session associated to the KEYCLOAK_IDENTITY cookie (associated with a keycloak client specific to drupal)
Drupal has it own session that it create after keycloak login with its own expiration.
Now when a user sign in without 'remember me' checked user session (KEYCLOAK_SESSION) has an expiration date while client session (KEYCLOAK_IDENTITY) last until the user browser is closed.
When the user come back, we'd like for him to be logout, but he can still read his keycloak informations thanks to the KEYCLOAK_SESSION still being alive... but he cannot modify them thanks to the client session being closed... Leading to all sorts of bugs
Since there does not seem to be a keycloak settings that allow for a user session to last until the browser is closed (see our other question : Keycloak: how to have a USER session that last until the browser is closed)...
We'd like to detect if the client session has been ended from the drupal php side, is this possible and how?