> First objective is to force user to log out if user is in idle or no activity within 4 hours. So, in the web application if it will reach 4 hours with no activity, it will then redirect to Gluu's login page.
This would have to be handled application side where an inactive session time is tracked and compared with the last activity time. From here the application can delete the users session, which would force them to re-auth and additionally end the users session at the OP using a [front channel logout](https://openid.net/specs/openid-connect-session-1_0.html#RPLogout), if you want them to be logged out globally.
> Second objective is to force user to log out if the browser is close. So the next time the user access the web application it will redirect to Gluu's login page.
This can be achieved by disabling `sessionIdEnabled` in `Configuration` -> `JSON Configuration` -> `oxAuth Configuration`. Whenever the browser is closed, the session cookie should be deleted and they'll be prompted again to login through oxAuth.