Spring oauth2 authorization server success logout but JWT token still can be used to introspect or userinfo

Question

I am successfully authenticate and get access_token,refresh_token, and id_token.

1. Once access_token generated, I am creating a request to userinfo or introspect, it is saying that token active: true
2. Then use refresh_token to retrieve new access_token. Once I got new access_token, I am trying to make request to /introspect with old token and saying active:false
3. When I use id_token to logout, I am redirected to post_logout_redirect_uri. But when make request to /introspect it return active:true also with all token details too.

In point number 2 it was clear that my previous access_token is not valid anymore. I think /logout will also update my token to become active:false, but thats not happen.

Here is my config file:

private final KeyManager keyManager;
private final DataSource dataSource;
private final CustomAuthenticationProvider customAuthenticationProvider;

@Bean
SecurityFilterChain oauthSecurityFilterChain(HttpSecurity httpSecurity) throws Exception {
    OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(httpSecurity);
    httpSecurity
        .getConfigurer(OAuth2AuthorizationServerConfigurer.class).oidc(
            customizer -> customizer.clientRegistrationEndpoint(
                clientRegistrationEndpoint -> clientRegistrationEndpoint.authenticationProviders(CustomClientMetadataConfig.configureCustomClientMetadataConverters())
            )
        )
        .registeredClientRepository(jdbcRegisteredClientRepository());

    httpSecurity
        .formLogin(Customizer.withDefaults())
        .oauth2ResourceServer(oauth2ResourceServer -> oauth2ResourceServer.jwt(Customizer.withDefaults()));
    return httpSecurity.build();
}

@Bean
JWKSource<SecurityContext> jwkSource() {
    ...
}

@Bean
JdbcTemplate jdbcTemplate() {
    ...
}

@Bean
JdbcRegisteredClientRepository jdbcRegisteredClientRepository() {
    ...
}

@Bean
RegisteredClient registeredClientRepository() {
    ...
}

@Bean
SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
        .csrf(customizer -> customizer.disable())
        .authorizeHttpRequests(authorize -> 
            authorize
                .requestMatchers("/api-docs","/api-docs/*", "/swagger-ui/*").permitAll()
                .anyRequest().authenticated()
        )
        .formLogin(customizer -> Customizer.withDefaults())
        .logout(customizer -> Customizer.withDefaults())
        .authenticationProvider(customAuthenticationProvider);

    return httpSecurity.build();
}

@Bean
PasswordEncoder passwordEncoder() {
    ...
}

@Bean
OAuth2TokenCustomizer<JwtEncodingContext> jwtTokenCustomizer() { 
    ...
}

I am using

• spring-boot-starter-security:3.2.2
• spring-security-oauth2-authorization-server:1.2.1
• spring-security-cas:6.2.1