When using the logout api /auth/sessions/logout the user is requested it’s credentials when asking for a new token as expected but I am surprised that he can request a new access token using the refresh token issued at login time.
- request token /oauth2/auth
- enter credentials using a custom form
- call /oauth2/token with code to get access, id and refresh token
- request token /oauth2/auth send code directly without getting credential (remember set to true)
- call /oauth2/sessions/logout to logout
- request token /oauth2/auth redirect to form (ok logged out)
- call /oauth2/token with refresh token return get access, id and refresh token (should no as logged out)
Am I missing something?
Hydra version: 1.4.9