plugin does not detect changes to the SSO logged in user

[a-schild]

We use moodle 3.11.3+ Authentication is done via a keycloak server and miniorange plugin We have a portal, which handles user login/dashboard and also redirects the users to Moodle

This flow works correctly:

• User logs in in Dashboard via Keycloak
• User clicks on a course in the dashboard and gets forwarded to Moodle, which does the SSO via keycloak
• Once the user finishes his course, he logs out in moodle
• The next access to Moodle is the required to authenticate via Keycloak

What is not working as expected:

• User1 logs in in Dashboard via Keycloak
• User1 clicks on a course in the dashboard and gets forwarded to Moodle, which does the SSO via keycloak
• Once the user1 finishes his course, he just closes moodle, no logout in moodle
• The user1 does a logout in the Dashboard/Keycloak
• Then (on the same browser session/window) User 2 authenticates via dashboard in keycloak
• User2 then clicks on his course in the dashboard and gets redirected to the moodle course
• In moodle the User1 is still the one logged in, instead of User2

Is there a way to validate if the moodle-logged in user is still the same as the user logged in the sso provider?

[a-schild]

Seems this would require some sort of backchannel logout...