What's the relationship between Keycloak SSO Session Idle Time and Spring Session Timeout?

I am referencing following tutorials to combine Keycloak OAuth2 and Spring Boot+Spring Gateway+Spring Security+Spring Session to save http session in Redis:

• https://www.baeldung.com/spring-cloud-gateway-bff-oauth2
• Keycloak SSO Session Idle always set to 30 minutes

I would like to control idle timeout of login users. If login users operate anything in this idle period, they will always keep login status.

I find there are 2 settings I could configure:

• Keycloak SSO Session Idle Time on Keycloak UI
• Spring Session Timeout in Spring boot application.yml

After user login my website through Spring Gateway, I checked TTL in Redis and always see it is always the same with Spring Session Timeout, which seems Keycloak SSO Session Idle Time does not work.

So that users will redirect to Keycloak after 30 mins idle time when accessing exposed Spring Gateway endpoints, and then automatically re-login Keycloak again, and finally redirect back to Spring Gateway. Although users could continue on my website after 30 mins idle time, they still need to redirect to Keycloak first to complete re-login process.

From my understanding, the 30 mins mentioned above is only related with Spring Session Timeout right ? Keycloak SSO Session Idle Time has no impact here. Pls corerct me if any error.

Each user has two distinct sessions in your system: one on Keycloak and a different one on your BFF.

These sessions live independently of each other.

What you configure as SSO session timeout in Keycloak influences only the Keycloak session, not the BFF one. It has an impact on what happens when the user is redirected to Keycloak (because the BFF session is not authorized or the refresh token has expired). But it changes nothing to how the BFF behaves.