[keycloak-user] SSO Session Idle timeout - strange behavior

[Jordan Keith]

We have an angular application which is using keycloak js and keycloak 3.4.3. We set a token timeout of 15 minutes, but if the user closes the application and comes back after 15 minutes, they are not forced to log back in because Chrome does not delete session cookies if it is set to restore the browser session. When the application is loaded, we issue a call to keycloak similar to the following: 

keycloakAuth.init({onLoad: 'login-required', checkLoginIframe: false}).success(...) 

This is the only call made to keycloak on startup. After that, periodic updateToken calls are made. 

We are trying to work around the persistent session cookie problem by setting the SSO Session Idle timeout to 15 minutes so that it matches our token timeout. I tested the behavior by issuing a refresh request 15 minutes after login. I received a 400 response as expected, but I'm encountering 2 issues: 

1). If I close the browser tab and reopen it immediately after the idle timeout occurs, I will be logged right back in via keycloak as if nothing happened. If I close the tab and wait approximately 2 minutes (really about 1:45), only then will I be redirected to the login screen. If the session is invalid, why am I not redirected to the login page immediately after reopening the application? I've tried this with different SSO Session Idle timeout values, and the time I need to wait is always the same. 

2). After the idle timeout occurs and I reopen the tab (after waiting 2 minutes), when I attempt to log in, I receive a message that I took too long to login and am forced to log in a second time. This occurs even if I try to log back in immediately after opening the tab. 
If it matters, these are my login-related timeouts: 

Client login timeout = 1 minute 
Login timeout = 30 minutes 
Login action timeout = 30 minutes 

Any help would be appreciated. 

Thanks, 
Jordan Keith