using keycloak refresh token i am able to logout but my access token is not invalidating

Below is my source code

    @PostMapping(value = "/logout", produces = MediaType.APPLICATION_JSON_VALUE)
public ResponseDTO usingRefreshTokenLogout(@RequestBody LogoutRequestDTO logoutRequestDTO) throws ServletException {
log.info("going to logout user");
return keycloakService.logoutFromSSO(logoutRequestDTO);
}
@Override
public ResponseDTO logoutFromSSO(LogoutRequestDTO logoutRequestDTO) throws ServletException {
logoutRequestDTO.setClient_id(clientId);
logoutRequestDTO.setClient_secret(clientSecret);
ResponseEntity<String> response =  loginClient.logout(logoutRequestDTO);
if(response.getStatusCode() == HttpStatus.NO_CONTENT) {
log.info("response : {}", response.getBody());
return new SuccessResponseDTO("Logout request successful");
}else {
log.info("response : {}", response.getBody());
return new SuccessResponseDTO("Logout request failed with status code: " +  
response.getStatusCode());
}
}
import com.tcg.admin.dto.LogoutRequestDTO;
import feign.Headers;
import org.springframework.cloud.openfeign.FeignClient;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
@FeignClient(name = "sessionFeignClient", url = "${client.post.base.url}")
public interface LoginClient {
@PostMapping(value = "/logout",
consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
ResponseEntity<String> logout(@RequestBody LogoutRequestDTO logoutRequestDTO);
}
@Getter
@Setter
@AllArgsConstructor
@NoArgsConstructor
@Builder
public class LogoutRequestDTO {
private String refresh_token;
private String client_id;
private String client_secret;
}

and below is my logout url

http://base-url/realms/my-realm-name/protocol/openid-connect/logout

I am trying to implement logout functionality. using refresh token then i am able to logout but after logout my access token is not invalidating. and using that access token i can access other resource. and if i go through according to keycloak docs. https://www.keycloak.org/docs/latest/securing_apps/index.html#logout then i am getting in the postman response for logout confirmation. if someone help me for resolving this issue.
and my keycloak version is 15.0.2

and thanks in advance

JWT access tokens are stateless and do not become invalidated when a user logs out. An API will continue to accept them.

You can revoke a refresh token at any time, including upon logout. The next time a party attempts to use the refresh token to get an access token, it will fail.

The two usual, and simplest, best practices, assuming you are writing a web client, are as follows:

• Keep access tokens short lived, eg 15 minutes, so that they are not valid for long after logout

• Use a secure cookie layer in the web app, according to best practices, which also helps to ensure that all back end access is immediately denied upon logout

• The client is trusted to discard all tokens upon logout (as pointed out by ch4mp in the comments below)

ADVANCED CONTROL

It is also possible to use access tokens in a reference token format. Such tokens require introspection at the authorization server, and can immediately detect revocation events.

Introspection is typically done in an API gateway, which then caches results for future requests with the same token.

After a revocation event, the authorization server can notify the API gateway, which can remove tokens for that client + user combination from its cache.

I know this 'solution' is a hack but may help you as workaround.

You can persist token, and is_activate flag to database.
When you logout user then you can change flag of particular token, if token is inactive, user shouldnt' get access to API.

PS: in keycloak API once I found .invalidate(token) method:

    Keycloak keycloak = KeycloakBuilder.builder()
.realm(realm)
.serverUrl(serverURL)
...
.build();
keycloak.tokenManager()
.invalidate(token);

This is the essence of large amount of the criticism around use of JWTs. See articles like "Stop using JWT for sessions", its sequel, and a bunch of other guidance. You need a session db, as Kafarson hinted at, or you live with the frustrating need to rely on timeout which is a pretty big issue for your security posture.