[keycloak-user] Session invalidation upon role changes?

[Dmitry Korchemkin]

Is there a built-in way to invalidate session upon role changes in IDP?

I imagine the following scenario:
- user logs in, mapper gives him role X.
- user, using role x, gains access to some resource or application.
- admin removes role X from user on IDP side.
- user needs to be logged out after that, since he doesn't have access to
this resource anymore.

I've tried removing roles in Keycloak UI and it doesn't seem to invalidate
the session by default.

I know OIDC/SAML can store additional info in its tokens and we can
probably use it to carry roles information in refresh tokens and check it
on application side, but maybe there's already a way to do this with some
Keycloak configuration?