On the gateway, the Keycloak adapter (KeycloakWebSecurityConfigurerAdapter) skips the token after the user logs off: 1. User entered the application. Session is active. Remember the token (Authorization: bearer) 2. The user exits the application (keycloak.logout()). No session in keycloak. 3. Make a request to auth/realms/realm/account with the saved token. No access. Good. 4. Make a request to the resource through the gateway (KeycloakWebSecurityConfigurerAdapter) with the saved token - there is access. Bug!? Shouldn't this check the KeycloakWebSecurityConfigurerAdapter by default? How to make gateway not to pass the token after keycloak.logout()? ----------------