Well, hence (functional). Making the client forget a token sounds trivial. But there's a long tail of clients out there, and many cases where things might get more complicated.
Maybe I'm damaged from working in a regulated industry, but a (possibly malicious) client who went through the logout process and could prove someone else reused the token after logout might have a case. Or another of a myriad of unknown possibilities.
It's all very unnecessary. There's a reason we all used to invalidate trust server side. It's just so much easier to reason about.
Maybe I'm damaged from working in a regulated industry, but a (possibly malicious) client who went through the logout process and could prove someone else reused the token after logout might have a case. Or another of a myriad of unknown possibilities.
It's all very unnecessary. There's a reason we all used to invalidate trust server side. It's just so much easier to reason about.