I may be misunderstanding something here, but for security purposes, it seems like we'd want a handler that, on signout, immediately revokes the latest refresh and auth tokens so that if someone had either, they'd no longer work (particularly the refresh token). I see there's a revokeRefreshToken function in the cacheStorage.js example, which could work, but it also appears to create a new refresh token. (Which isn't really a problem as long as its not returned to the client.)
Basically I suppose I'm just curious: If I wanted to create my own signout handler to satisfy the security needs described above, what's the best approach to doing so?
I may be misunderstanding something here, but for security purposes, it seems like we'd want a handler that, on signout, immediately revokes the latest refresh and auth tokens so that if someone had either, they'd no longer work (particularly the refresh token). I see there's a
revokeRefreshToken
function in thecacheStorage.js
example, which could work, but it also appears to create a new refresh token. (Which isn't really a problem as long as its not returned to the client.)Basically I suppose I'm just curious: If I wanted to create my own signout handler to satisfy the security needs described above, what's the best approach to doing so?