Reference Tokens expiry after logout

[jochenkluger]

Which version of Duende IdentityServer are you using?
7.0.8

Which version of .NET are you using?
8.0

Describe the bug
I think it is a question, not a bug.
We are using an identity server implementation with the Entity Framework stores. There is one Angular frontend using angular-oauth2-oidc (https://github.com/manfredsteyer/angular-oauth2-oidc) and several APIs using this identity provider. The login flow is authorization_code with pkce and reference tokens and on first sight everything is working as expected.
If we have a look at the database, we can see that every call to an api generates a new token in the PersistedGrants inside the same session. That is triggered by the Angular code to reset the expiration time (call to silentRefresh in the OAuthService of oidc library).
When we do a logout in the frontend, only the current token is invalidated and removed - the other tokens in the same session stay valid and can be used until they expire (about 20 minutes at the moment).

Expected behavior
All the tokens of the session should be invalidated, when the user logs out.

[RolandGuijt]

Access tokens are meant to be reused across requests. Creating a new one for each request is not the correct flow and will lead to issues.
Please modify your javascript so that a token is only refreshed when it is (about to be) expired.

[maartenba]

(note: we're moving this issue to our new community discussions)