[keycloak-user] Strange behavior upon the RP initiated logout

Hey, I successfully integrated mod_auth_openidc with Keycloak: https://keycloak.gitbooks.io/securing-client-applications-guide/content/t... In addition to the master realm we use our own realm. I have strange behavior upon the RP initiated logout. I access RP logout URL it redirects to Keycloak using the logout endpoint (https://<ip>/auth/realms/realm/protocol/openid-connect/logout) as described here: https://github.com/pingidentity/mod_auth_openidc/wiki/Session-Management#... Unfortunately, Keycloak redirect me to the “Session not active” error string when I press on the logout after couple of minutes of work. The logout is successfully if I press the logout button after 1 or 2 minutes after the login. I have tried to debug Keycloak and I have found the following: TokenManager in the function org.keycloak.protocol.oidc.TokenManager#verifyIDToken calls to JsonWebToken and founds that the token is expired (org.keycloak.representations.JsonWebToken#isExpired) It caused since the expiration of the token is very short (couple of minutes). Questions: 1) How to configure the token expiration? I have increased “SSO Session Idle” to 90 minute but it does not change the token expiration (it remains short) https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/se... 2) Why logout cannot work after couple of minutes?