When performing a token revocation client not found #1022
Comments
Token revocation does not log out a user, it simply invalidates the passed in access/refresh token that is associated with the user and authorized client. Please review the OAuth 2.0 Token Revocation spec for further details. |
jgrandja
added
status: invalid
|
Thanks for clarification. I didn't find a way to log out a user in an active session. This results in the frontend removing the keys but when the browser is refreshed I am again logged in. |
Did you find any solutions? |
|
Unfortunately there isn't any possibility. Keycloak introduced so called Post Logout URLS. When you post to a specific endpoint in keycloak from that url you can remove the token. There is an open pr request in the spring authorization server but it isn't implemented yet. |
|
Hi @jgrandja, I've also stumbled into this logout-issue, and I think addressing it is perhaps as straight-forward as amending the "Developing Your First Application" example with a logout hook demonstration. (I'm aware that the IdP session-cookie and the OAuth refresh-token technically represents separate sessions, but this is common scenario ~ even the initial intro conflates the IdP and OAuth responsibilities, which in some cases might handled by separate services IRL 🤓) |
|
@SamTV12345 @dlehammer FYI, logout capabilities is in the works via gh-266 and spring-security#7845. We're targeting for M1 release and we'll be updating the default messages sample to leverage the new logout mechanism. |
Describe the bug
When I try to perform a token revocation to logout a client I get {"error": "Invalid client"
To Reproduce
Take the example authorization server and perform a logout on /oauth2/revoke.
Expected behavior
Invalidate the JSESSIONID token and get logged out.
The text was updated successfully, but these errors were encountered: