How can we check if the user is logged out of the identity provider?

[jonanderson-vl]

Identity provider: keycloak

If the users session is terminated via the keycloak admin api, is there a way to check if the user's session still exists?

I know we can call keycloak api/introspect or user details, seeing if there is a way to check this in the library.

[pseidemann]

the user will be able to use your protected api as long as the access token (or refresh token, depending on if you use it) is still valid (the tokens include their own expiration, signed by keycloak, verified by your api with keycloaks public key or shared secret). the token in that sense is like a ticket and as long as a user has a valid ticket, he can use it. you cannot "steal" it back.

however, if you still want to reject some users, every time you verify a token, your api would need to ask keycloak, if a user still has a session/is registered (afaik outside of oauth standard), otherwise it's impossible to know if a jwt comes from a "terminated" or "non-terminated" user.

[pamapa]

The underlying library has a feature monitorSession, maybe that is what you are looking for... See https://authts.github.io/oidc-client-ts/interfaces/UserManagerSettings.html#monitorSession

[pseidemann]

to be clear, you can still deny an user access to your api, even though there is a valid token.

here is a good explanation: https://community.auth0.com/t/best-practice-for-checking-if-token-is-revoked-in-api/17460/2