Access token invalidation after logout — guidance requested
197 views
Skip to first unread message
nandish kumar
Mar 3, 2026, 5:04:42 AM (11 days ago) Mar 3
to Keycloak User
Hi Team,
We’re raising a security concern about access token invalidation after logout.
Issue overview
Security concern
Our security team suggested that access tokens become invalid immediately after logout.
Request
Is it possible to implement a custom SPI in Keycloak to revoke/invalidate access tokens on logout?
If not, are there recommended alternatives
Kindly advise on the best approach.
Thank you
We’re raising a security concern about access token invalidation after logout.
Issue overview
- User logs in via UI and obtains an access token (copied from network).
- User logs out from the UI.
- The access token remains valid for its full lifetime (10 minutes).
- If the same token is used to call internal APIs during that window, it still succeeds because the API validates only kid and iss.
Security concern
Our security team suggested that access tokens become invalid immediately after logout.
Request
Is it possible to implement a custom SPI in Keycloak to revoke/invalidate access tokens on logout?
If not, are there recommended alternatives
Kindly advise on the best approach.
Thank you
Saahil Rout
Mar 3, 2026, 1:11:48 PM (11 days ago) Mar 3
to nandish kumar, Keycloak User
Hi Nandish,
Thanks for raising this. Your observation is correct: in Keycloak, access tokens are JWTs and remain valid until expiry because Keycloak does not maintain server-side state for them. Logout clears the session and invalidates the refresh token, but it does not retroactively revoke already-issued access tokens.
Direct invalidation is not possible unless an additional validation layer is introduced. Here are the recommended approaches:
1. Use Token Introspection + OAuth2 Resource Server Adapter
Instead of validating only the kid and iss, configure your internal APIs to validate tokens via Keycloak’s Introspection Endpoint. This ensures tokens become invalid the moment a session ends.
2. Reduce Access Token Lifespan
Lower the access token TTL (e.g., from 10 minutes to 1–2 minutes) and rely on refresh tokens. This is the official Keycloak-recommended mitigation for JWT revocation.
3. Enable Backchannel Logout
APIs that support backchannel logout can receive logout events from Keycloak to locally clear cached authentication states.
4. Custom SPI (Not Recommended)
While building a custom Token Store SPI is technically possible, it is fragile, goes against Keycloak’s design, and introduces significant maintenance complexity.
Clear Recommendation:
I suggest using token introspection combined with a shorter access token lifespan. This is the most secure approach and maintains Keycloak’s architectural integrity.
I am happy to help configure this if needed.
Regards,
Saahil
Thanks for raising this. Your observation is correct: in Keycloak, access tokens are JWTs and remain valid until expiry because Keycloak does not maintain server-side state for them. Logout clears the session and invalidates the refresh token, but it does not retroactively revoke already-issued access tokens.
Direct invalidation is not possible unless an additional validation layer is introduced. Here are the recommended approaches:
1. Use Token Introspection + OAuth2 Resource Server Adapter
Instead of validating only the kid and iss, configure your internal APIs to validate tokens via Keycloak’s Introspection Endpoint. This ensures tokens become invalid the moment a session ends.
2. Reduce Access Token Lifespan
Lower the access token TTL (e.g., from 10 minutes to 1–2 minutes) and rely on refresh tokens. This is the official Keycloak-recommended mitigation for JWT revocation.
3. Enable Backchannel Logout
APIs that support backchannel logout can receive logout events from Keycloak to locally clear cached authentication states.
4. Custom SPI (Not Recommended)
While building a custom Token Store SPI is technically possible, it is fragile, goes against Keycloak’s design, and introduces significant maintenance complexity.
Clear Recommendation:
I suggest using token introspection combined with a shorter access token lifespan. This is the most secure approach and maintains Keycloak’s architectural integrity.
I am happy to help configure this if needed.
Regards,
Saahil
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-user/addcb544-7d4b-4146-b12b-cbc08bae8eefn%40googlegroups.com.
nandish kumar
Mar 4, 2026, 12:13:21 AM (10 days ago) Mar 4
to Keycloak User
Hi Shiva and Saahil,
Thank you for your quick response. We will review your suggestions.
Our concern is regarding the use of the Token Introspection endpoint. Since we have a large number of microservices integrated with Keycloak, using the introspection endpoint for every request may impact response time and overall performance. This is why we are evaluating it carefully.
Need to think on Redis session store option not sure management agree or not.
Regards
Nandish.
Reply all
Reply to author
Forward
0 new messages