Hey, I successfully integrated mod_auth_openidc with Keycloak: https://keycloak.gitbooks.io/securing-client-applications- guide/content/topics/oidc/mod-auth-openidc.html In addition to the master realm we use our own realm. I have strange behavior upon the RP initiated logout. I access RP logout URL it redirects to Keycloak using the logout endpoint (https://<ip>/auth/realms/realm/protocol/openid-connect/logout) as described here: https://github.com/pingidentity/mod_auth_openidc/ wiki/Session-Management#logout Unfortunately, Keycloak redirect me to the “Session not active” error string when I press on the logout after couple of minutes of work. The logout is successfully if I press the logout button after 1 or 2 minutes after the login. I have tried to debug Keycloak and I have found the following: TokenManager in the function org.keycloak.protocol.oidc.TokenManager#verifyIDToken calls to JsonWebToken and founds that the token is expired (org.keycloak.representations.JsonWebToken#isExpired) It caused since the expiration of the token is very short (couple of minutes). Questions: 1) How to configure the token expiration? I have increased “SSO Session Idle” to 90 minute but it does not change the token expiration (it remains short) https://keycloak.gitbooks.io/server-adminstration-guide/ content/topics/sessions/timeouts.html 2) Why logout cannot work after couple of minutes? _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user