I think this question was already asked but I am unable to find a suitable response.
I use this endpoint : kc_host/auth/realms//protocol/openid-connect/logout to logout user from Postman, I noticed that the logout does not invalidate the access_token. Is there another endpoint to call to invalidate access_token?
Thanks a lot
An Access Token itself cannot be invalidated since it contains an attribute that defines how long it is valid. This is designed this way to allow 3rd parties to do this check themselves independent of the idp.
Though you can invalidate the session which invalidates also the refresh token.
I believe that’s what happens on logout.
Also you see here why it’s advised to have a relatively short lifetime of an access token (typically a few minutes to an hour).