How would it fit with Keycloak's current architecture? As far as I can tell, the only SSO-level administrative permissions are either granted via the admin interface itself (where client-specific rules can come into play) or via service accounts (which don't have an associated session, all operations are performed via API requests). Other clients that may link to administrative permissions can also have client-specific rules.

Because of how SSO services work, the session timeouts only directly affect the SSO service's session itself, not how long sessions in client applications last, so it's not directly enforceable globally (e.g., the application may have a 24 hour session timeout, completely separate from the SSO). Applications can also add additional privilege escalation tests via step-up authentication, forcing user re-authentications, and so on, if needed.

There are three kind of admin roles I think of.

1. The admin role in the master realm ... ok that is no issue I can simply use a more restricted lifetimes in the master realm.

2. The realm-admin in each realm. I can select shorter lifetimes for the security-admin-console client, but that doesn't help because I cannot set prompt=login for that, so even if the shorter client idle timeout has expired my longer sso session idle is still valid and the admin doesn't have to reauthenticate.

3. Application admins. Here I would need to implement something manual like "Ah you are an admin I trigger a logout after 5 minutes". It would be easier if just at least the refresh token would be shorter, together with login=prompt it would be sufficient.