I’m using Keycloak and spring boot. the problem is when I log out session in Keycloak panel or with rest call in spring project, although the session will be removed from Keycloak, the user can still use that token to authenticate requests. as I found, it seems that the Keycloak adapter doesn’t check each token with the Keycloak server pwe request, is it true? how can I solve this?
as some topic answers said, I tried Backchannel Logout URL, but no success was achieved.
this is error:o.k.a.s.a.KeycloakLogoutHandler.logout:62 - Cannot log out without authentication
Access tokens cannot be invalidated in Keycloak, only refresh tokens. That is why it is recommended to keep access token lifespan short (e.g. 1 minute), but refresh token lifespan long.
Thanks, I’ll do this approach…
But isn’t it dangerous? even with a 1-minute life span…
and it has overhead on server because we should request many times to get a new access token with refresh token…
Is there any plan to make this better in keycloak?
