I have created an mobile application which is using cordova. In the application i run keycloak.login with scope=offline_access which gives me an offline token which i store. So i can use that token in keycloak.init javascript adapter to remain logged in even if i close the mobile app and open it the next day.
But the problem is when i run keycloak.logout() the offline token is not revoked. Is there any way to remove the offline token for the user within a javascript application?
Kind regards
From the docs (Server Administration Guide):
“Users can view and revoke offline tokens that have been granted by them in the User Account Service. The admin user can revoke offline tokens for individual users in admin console in the Consents tab of a particular user. The admin can also view all the offline tokens issued in the Offline Access tab of each client. Offline tokens can also be revoked by setting a revocation policy.”
So, it looks like the admin can revoke individual tokens or all tokens at once.
If you want the user to do it as part of a logout, you should be able to call the User Account REST Service to do the same thing:
GET http://{host}/auth/realms/{realm}/account/sessionsDELETE http://{host}/auth/realms/{realm}/account/sessions/{session_id}I’m using Keycloak 25 and the delete command from the post of @xgp did not work for me. But I found a logout api that works for offline tokens in the source code that I did not find anywhere else in the forum or the documentation that worked for me:
curl 'https://example.com/auth/realms/myrealm/protocol/openid-connect/logout' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=myrealm' \
--data-urlencode 'refresh_token=myrefreshtoken'
Replying to an 4yrs old thread and saying that something does not work, is a bit …let’s say “challenging”. Things changed a lot in the past. Most probably you just have to skip the /auth part of your path.
However, the you called “undocumented” logout endpoint is the default end_session_endpoint from the OIDC config document, retrievable through the /.well-known/openid-configuration path. That’s part of the OIDC spec.