From Session Removal To Token Invalidation

alessioVelluso · October 13, 2025, 8:55am

Hello, I’m using the latest version of Directus with the latest version of keycloak.
I’m using a openid mode session.

As i noticed, the directus_session_token does not invalidate when the admin remove the keycloak session of that user from the keycloak UI.
I imagine that’s for optimization purposes but is there a turnaround for this?

As i saw, i can create custom events on keycloak, and wouldn’t be hard to create a custom directus extension that take my keycloak session id when i log him out, and use it to invalidate it as the admin required.
But is that possible?

Am i doing something wrong?

alexv-directus · October 13, 2025, 3:29pm

Hi,

You’re on the right track. You could create a custom http endpoint flow in Directus and then handle any events sent from your Keycloak instance.

Then in the flow, update users where external_identifier = the keycloak id.

{
    "data": {
        "status": "suspended"
    },
    "query": {
        "filter": {
            "external_identifier": {
                "_eq": "[Keycloak ID]"
            }
        }
    }
}

Topic		Replies	Views
DirectusSDK randomly kills user sessions Help authentication , api	1	63	June 13, 2025
How should we deal with logout if we login via sso? Help authentication , api	2	77	September 4, 2025
SSO Logout URL? Help	3	104	September 4, 2025
How to integrate SSO Keycloak Directus to Front End? Help	0	105	July 2, 2025
Problem with google auth frontend with Directus Help	1	158	May 16, 2025

From Session Removal To Token Invalidation

Related topics