OAuth token revocation
Hi, guys!
Help me understand plz. We implemented Oauth flow, everything works fine but I fail to understand connection between session and tokens.
When user logs out - out frontend (using Zitadel lib) calls /oidc/v1/end_session. In user_sessions table respective session changes state from 0 to 1, and access token becomes invalid. However refresh token is not being revoked and I can still get access token using it.
Can you explain why access token becomes invalid and refresh doesn't?
Help me understand plz. We implemented Oauth flow, everything works fine but I fail to understand connection between session and tokens.
When user logs out - out frontend (using Zitadel lib) calls /oidc/v1/end_session. In user_sessions table respective session changes state from 0 to 1, and access token becomes invalid. However refresh token is not being revoked and I can still get access token using it.
Can you explain why access token becomes invalid and refresh doesn't?
