Currently it is only possible to set lifespan on the SSO session and not on individual clients. If SSO session lifespan is large that results in tokens/assertions sent to clients having a long lifespan.
Long lifespan for some clients may be acceptable, but for others not. Long expiration on tokens also increases the risk of tokens being leaked. Finally, there is also a risk involved if a client was not successfully logged-out during a single log-out in which case the client can remain authenticated for a long time after the SSO session has been removed.
Make it possible to configure a default client session max and idle at the realm level, with the option to override on individual clients.
Add "Client Session Max" and "Client Session Idle" configuration options on the realm, with options to override on individual clients. If not specified it would fallback to SSO Session Idle/Max.
"Client Session Max" and "Client Session Idle" will not have any impact on the SSO session.
Client should also have an option to specify a default max age for authentication. With "Client Session Max" this is now possible as it is possible to enforce clients having to redirect back to Keycloak to obtain new tokens/assertions.
Refresh token, ID token and access token exp should be set to "Client Session Idle". A new claim "exp_max" should be added to the Refresh Token which is set to "Client Session Max".
A refresh token can be used as long "exp_max" has not passed. Once the refresh token is expired the client will need to initiate a new authentication flow to obtain new tokens. As long as the SSO session is valid it can do this without any interaction required by the user.