Trojan295
commented
5 years ago Basically JWT token are issued for a given time window, when they are valid. The simplest option to logout is simply to destroy the JWT (or the place, where it is, eg. a cookie). This happens in case of Kong OIDC.
Those JWT are issued by a OIDC Provider and the user has to first login there, so a JWT can be crafted for Kong OIDC. If you want to trigger an logout from the OIDC provider you need to redirect him to the end session endpoint. So does Kong OIDC also.
But as OIDC Providers can handle multiple clients, one client cannot destroy valid tokens from other applications. So it's impossible to invalidate all user tokens. That's a issue of JWT... as the validation of a JWT is based on a crypto signature and a expiration date, the validation can be performed without an active connection with the OIDC provider, thus they cannot be invalidated. That's why the should have small expiration dates (few minutes).
TLDR; Kong OIDC logs out by destroying the session cookie with the JWT and redirects the user agent to the OIDC End Session Endpoint, to logout the user from it. It's impossible to invalidate issued user token other than destroying them.
I don't understand how logout works with oidc plugin. I specified logout_path in plugin config but it seems that plugin simply redirects /logout to that path without contacting Keycloak. That means that Keycloak session is left intact? What should I configure in Kong and Keycloak to invalidate all user's tokens by one shot?