Description
Keycloak version 25.0.2
Described in this thread: single sign on - Logout from Keycloak does not logout Active Directory User - Stack Overflow
If the only refresh token (Refresh Token Max Reuse = 0) is revoked, it appears to me that keycloak would consider the user session is terminated. After that the redirect to the logout endpoint (/realms/master/protocol/openid-connect/logout) would result in a “session_expired” error in keycloak. But keycloak would play nice and still redirect to the post_logout_redirect_url.
Everything looks fine at the frontend. But the reality is that the identity provider logout process is omitted in the process. So when the user login again with the same identity provider (like azure ad), it would not be prompted for the user name or credentials, like it is remembered in keycloak. Also can be regarded as identity provider not logged out. The login just succeeded right away.
‘Revoking refresh token is considered as session terminated’ is a feature or bug?
This behavior can be also confirmed by checking the Sessions panel in keycloak admin console. Once the refresh token is revoked, the session is gone.
My thought was that refresh token should be revoked before redirecting to the logout endpoint. Especially the offline refresh token which would still be valid for quite a while even after logout.
But revoking the refresh token would break the normal logout procedure if identity provider is involved.