I have set the admin url for my bearer-only applications just like I do for my confidential applications.  In both cases (they are both war file deployments running in Wildfly 8.0.0 Final) it is the context-root of the war file.  When I log out the sessions from the keycloak  admin console, the confidential applications hear about the logout, and will respond with a redirect, but the bearer-only reply with the protected resource instead of responding with a 401 like I would expect.