Conceptual question on OAuth logout, specifically the KeyCloak implementation.
I’m not understanding why Keycloak’s logout endpoint requires the caller to pass in both an access token and a refresh token. From the source code of
LogoutEndpoint#logoutToken, we see this Javadoc comment:
You must pass in the refresh token and authenticate the client if it is not public.
“authenticate the client” is clear - Keycloak wants to check your identity and ensure you can only logout yourself. Why it needs a refresh token is unclear.
The first thing this method does is access the refresh token from the request body and verify it. The git commit which added this verification references KEYCLOAK-6771 which is about supporting HoK tokens (a reference to the OpenID Financial API). However, the code path verifies the request token for all logout requests, not just for HoK tokens.
By contrast, RFC 7009 OAuth 2.0 Token Revocation, which is supported by KeyCloak since 10.0.0 via GitHub PR#6704, does not require passing a refresh_token to revoke an access token. However, I seem to again be misunderstanding something fundamental about the protocol, because while KeyCloak supports RFC 7009, they choose to only allow revoking refresh_tokens and will not allow revoking access_tokens.
Is this because they cannot guarantee an access_token will no longer be accepted by downstream clients?
So I have two big conceptual questions:
- Why does KC’s logout endpoint require passing a valid refresh token?
- Why does KC’s token revocation endpoint only support revoking refresh tokens?