I get an offline token by sending request to /openid-connect/token using authorization_code (scope=openid offline_access). In Keycloak admin console in Offline Access tab I can see created offline token for user that I used to login. (Offline Tokens:
Then I logout a user by calling /openid-connect/logout sending offline token from 1. as parameter. In Keycloak admin console in Offline Access tab I can see that offline token for user that I used to login was removed. (Offline Tokens: 0)
Then I try to get access token by offline token that I used to logout. I get following response: Offline user session not found.
I would expect that despite a logout, application can still use a offline token to obtain a new access token.
As it is described in Offline Access | keycloak-documentation : “The application can save this offline token in a database or on disk and can use it later even if user is logged out”.
My user has the role mapping for offline_access role. Client also has that role in its scope.
Am I doing something wrong?
There is a difference between logging out from the local client application and logging out from Keycloak.
Logging out from the local client (killing the local session) would still allow the client to use the tokens in the background. So, it all depends on how you "define" what logout means.
The alternative is that your client ues the client credentials flow, to talk to backend APIs, regardless of the user is logged in or not.