Proxy is not compatible with new token revocation endpoint of Keycloak 10

[thomas-jakemeyn]

Proxy is not compatible with new token revocation endpoint of Keycloak 10

Summary

Starting from the version 10.0.0, Keycloak exposes a new token revocation endpoint that implements the RFC 7009.

The RFC 7009 states that the revocation of a refresh token can be requested as followed:

POST /revoke HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token

As you can see, the request contains a mandatory parameter named token. If Keycloak does not find that parameter, then it throws a HTTP #400: Token not provided (see code here).

Environment

• Keycloak server 10.0.2
• Proxy 10.0.0

Expected Results

The proxy is able to request the revocation of a refresh token when setting the configuration parameter revocation-url to the URL of the new token revocation endpoint that is provided by Keycloak.

Actual Results

The proxy passes a parameter named refresh_token (instead of token - see code here) and receives an error from Keycloak. As a consequence, it cannot log the user out anymore.

Steps to reproduce

• Run the proxy against Keycloak 10+.
• Set the revocation-url to https://<keycloak>/realms/<realm-name>/protocol/openid-connect/revoke.
• Enable the refresh tokens.

enable-refresh-tokens: true
encryption-key: xxx

• Login and logout through the proxy.
• You should see this in the log:

error	invalid response from revocation endpoint	{"status": 400, "response": "{\"error\":\"invalid_request\",\"error_description\":\"Token not provided\"}"}