I use React with Spring Boot as a Backend. To use Keycloak I added the “keycloak-spring-boot-starter” dependency. It’s working good, I can use my token to request things from it, but there is one problem. If I logout and my session in Keycloak is deleted, I can still use the token to request things from Spring Boot. It works until the token is not valid anymore (3 minutes). How can I make sure that the backend won’t accept the token anymore or ask Keyclaok again if it’s still valid?
That’s the nature of JWTs - they are “self-containing” and can be used until expired.
In case you want your session in your backend ist invalidated when logging out at Keycloak, use the admin-url configuration (see https://www.keycloak.org/docs/latest/server_admin/#oidc-clients and scroll down to “Admin URL”.
To check in Keycloak if a token is still valid, you can use the token_introspection endpoint, this is part of the authorization services, somewhere in https://www.keycloak.org/docs/latest/authorization_services/index.html