@dan said in logout questions:
've got a question about logout.
When logging in using the /oauth2/token route with the auth wordle code grant, it seems the /api/logout route does not revoke the refresh token.
Is intended? Is the best way to log out in this case is with the /ouath2/logout route? How does that know which user to log out? there's no user id or refresh token property in the body.
Regarding user identification during logout, the OAuth 2.0 specification doesn't define a standard logout endpoint. Logout processes are often application-specific, and the mechanism to identify the user being logged out might depend on the authentication framework or technology being used.