Closed marek-ganko closed 6 years ago
I would need some additional information:
But this looks like an expected behaviour. Kong OIDC has a session and your application with the token has a different session. If you are logging out with the session from one application it shouldn't interfere with any other sessions, that are established.
A logout invalidates the tokens within session, which made the call, but it doesn't mean, that other session are invalidated.
Closing due to inactivity
Problem: Kong OIDC plugin is caching the session.
Description: In my scenario I have application A that uses Kong plugin, and application B that uses Implicit Grant authentication straight to Keycloak. It seems that after logout from application B (using this redirect/auth/realms//protocol/openid-connect/logout) I can still access to application A, even though there are no active sessions visible through Keycloak admin console.
It can be also reproduced by simply destroying the active session through Keycloak admin console.