Explain the logout procedure in case of explicit refresh tokens

[bmurauer]

After some thinking, I am unsure if I understand what steps are required to perform a secure logout in case the explicit refresh tokens are used. The scenarios that I can come up with are:

• require both tokens on logout() and block them both
• store the refresh token in the db upon creation, check it very time a token is refreshed, and delete it when a user logs out using the access token

Is there a preferred way?
I think this is very important and should be part of the documentation.

[vimalloc]

The two ways you have identified are both totally valid, and have different pros and cons depending on the use case and constraints of your application. In the past I have simply called logout on both tokens, so that I didn't need to maintain any additional state on my backend, but in some cases maybe having that state is beneficial for your application. For example, if you need the option to revoke a refresh token, and unrevoke it later, having that data stored in the DB can make that workflow very simple. Unfortunately I don't think there is a uniformed preferred way that can satisfy different types of flask applications.

[bmurauer]

Perfect, thanks a lot for your input. If it's OK with you, I'll write a PR to include this information in the documentation, I think that it might help some people with this decision.

[vimalloc]

Gonna close this issue for now. A PR is still totally welcome in the future though if that was something you wanted to help clarify 👍