After the AuthService authenticates users with an IdP, it tracks the user's status by:
- Issuing a session cookie to be stored in the user's browser.
- Storing the IDToken, access token and refresh token in the AuthService's database.
The /logout endpoint provides a logout functionality from the AuthService.
On logout, the AuthService will:
- Revoke the access/refresh tokens at the IdP (if the IdP provides a
revocation_endpointin the discovery document). Token revocation is described in RFC-7009. The tokens are stored in the user's session in the backend and never reach the browser. - Delete the user's session from the database.