Before reporting an issue

[X] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

core

Describe the bug

When specifying a per-client session idle time together with persistent sessions, the client sessions are removed once the timeout on the realm level is reached.

There is currently no indication for the user that this is the case.

This was first reported by @enastevska in https://github.com/keycloak/keycloak/issues/23687#issuecomment-2536229625

Version

main & 26.0.7

Regression

[ ] The issue is a regression

Expected behavior

1. Make it safe to use: Either allow a client to override the realm's client idle time with a longer value (up to the session time), or show an or keep the current behavior. Any invalid values should should show errors on save, possibly also when opening the UI to show misconfigurations in existing values.

2. Docs that align with the behavior, including the hints in the UI for the specific fields

Actual behavior

UI accepts the values without any warnings or errors. Client sessions are removed once the realm's client session timeout is reached.

How to Reproduce?

The following code doesn't look at individual clients:

https://github.com/keycloak/keycloak/blob/9861acc2aaa6b8d588ef1155563c1f652ec08d28/model/jpa/src/main/java/org/keycloak/models/jpa/session/JpaUserSessionPersisterProvider.java#L257-L259

Anything else?

No response