I have been reading the OAuth spec but am struggling to understand something about logging out.
Should I wish to sign out from a web app, does the spec provide a URL I can redirect a user to, that deletes their session including issued cookies?
I have found some docs that specify an endpoint I can make a DELETE
request to, which revokes my tokens, but this does not revoke issued cookies?
I am imaging something like ${issuer}/v1/logout
that when opened in the browser, ends the session.
In Open Id Connect there is an end session endpoint for this, though support varies between vendors. Here is a related answer I posted earlier.
What software are you using for the Authorization Server?