2.
Just get your auth / profile editing external site to sync to Discourse server-side as soon as a change occurs, it’s a single HTTP request. No need for messages etc. You should not be doing this client-side - i.e. no worries about closing a tab.
For security reasons I would avoid going beyond 60 days without requiring re-auth if the user hasn’t interacted with Discourse.
3.
If users do use your external site just have your page contain insert a hidden IFRAME / EMBED of the Discourse site to the URL /session/sso
…
Only add this hidden IFRAME when the user hasn’t been authenticated recently (so it doesn’t slow down every page load) - probably just when they initially login.
This will keep the Discourse session alive. (EDIT: Note this will also log them into Discourse if they aren’t already)
You can look to the Discourse WordPress plugin I believe it contains something like this.