Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

oidc

Describe the bug

Access tokens obtained via internal-to-internal Standard Token Exchange cannot be revoked via the TokenRevocationEndpoint.

Version

26.4.0

Regression

• The issue is a regression

Expected behavior

It should be possible to use the token revocation endpoint to mark an access token as revoked, regardless if it was created via token-exchange or not.

Actual behavior

The TokenRevocationEndpoint call fails in the org.keycloak.protocol.oidc.endpoints.TokenRevocationEndpoint#checkUser method, because
it fails with "Invalid Token" and the USER_SESSION_NOT_FOUND error. https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenRevocationEndpoint.java#L221

How to Reproduce?

1. Setup token exchange with an initial / requester / target client
2. Obtain a token AT1 for the initial client
3. Perform an internal-2-internal tokenchange with AT2 via the requester client with the target client as audience to obtain token AT2
4. Call the token revocation endpoint with AT2 as the requester client

This last step will fail.

Anything else?

Note that calling the Token introspection endpoint with AT2 from above returns the token claims AND "active":true.

Seems to be related to this issue #42565