For our SPAs we are currently storing our tokens in app memory and are also using refresh token rotation. That means that if a user has two tabs open, they have two separate sets of access / id / refresh tokens.
When a user logs out, only those tokens associated with the tab are invalidated. Users found they could still make API calls with the tokens on the other tab. Has anyone come across this issue / have a solution for it?
I did see the documentation for /api/v1/users/ ${userId} /sessions that optionally revokes all access and id tokens, but in the fine print it says: This operation doesn’t clear the sessions created for web sign in or native applications.
TLDR: is there any way to revoke all tokens associated with a session? Or a solution for this multiple tab issue?