I'm using keycloak gatekeeper to protect a simple front-end web application and it works well; users need to log in before they get to the actual site.
The problem is logging OUT. When I use the /oauth/logout URL, it seems to destroy the local session in the app, but does not actually log the user out. The next time I refresh, the user is logged in again.
I checked the keycloak gatekeeper logs and whenever I hit the logout URL I see this;
error invalid response from revocation endpoint {"status": 400, "response": "{\"error\":\"invalid_grant\",\"error_description\":\"Invalid refresh token\"}"}
error no session found in request, redirecting for authorization {"error": "authentication session not found"}
info issuing access token for user {"email": "test@test.com", "expires": "2019-11-08T12:11:35Z", "duration": "4m59.409151193s"}
It looks like it tries to call the revocation-url, fails, and then just logs the user in again. The question is why the call to the revocation-url fails. I did not set up anything custom, this is just keycloak + keycloak-gatekeeper pretty much out-of-the-box.
Can anyone shed some light on this?
Here is the gatekeeper config (deployed in Kubernetes);
secure-cookie: false
client-id: dashboard
client-secret: xxx
discovery-url: https://xxx/auth/realms/dashboard
enable-default-deny: true
encryption_key: xxx
listen: 0.0.0.0:3000
redirection-url: https://domain.tld
upstream-url: http://127.0.0.1:80
Invalid refresh token => you need to enable refresh tokens:
enable-refresh-tokens: true
encryption-key: <your enryption key>