trigger tokens revocation

[abdallah-odeh]

Hello there, Does calling endsession trigger token revocation?

In my web app, I tested the login & logout cycle the URLs triggered:

• connect/revocation (for access token)
• connect/revocation (for refresh token)
• connect/endsession?post_logout_redirect_uri=https%3A%2F%2Fmyapp.homepage.com
• Account/Logout
• Account/LoggedOut
• https://myapp.homepage.com

after these redirects, when I try to use the refresh token to obtain a new access token, the API connect/token with grant_type=refresh_token returns "invalid_grant" which means that the token is not valid in this case

but when I call the endsession API from flutter_appauth, the revocation APIs are not triggered thus, the refresh token is not revoked and can be used to obtain new access tokens URLs appeared in the server logs when the endsession is called from mobile:

• connect/endsession?post_logout_redirect_uri=com.myapp.packagename%3A%2F%2Flogout%2F
• Account/Logout
• Account/LoggedOut
• the webview is closed and the app proceed it's work

I thought maybe because the client_id is not passed in the endsession API, as the revocation APIs do require client_id I tried to append the client_id in the additionalParameters but no updates were detected

I then tried to manually call revocation for the refresh token with client_id, It worked fine, when I tried to obtain a new access token an error was returned

Notes: I am using identityserver4 & AuthorizationCode flow with PKCE

so is there anyway to do actually "End the session" and revoke any tokens for the current session?