The user needs to login in multiple devices. Each login creates a session with its own token and refresh token. The tokens are stored in the database and then each token the api receives is validated against the db. When a user logs out the token will be deleted from the database so it is no longer valid.
I assume such scenario to be quite common, but it seems it is not built into the asp.net core identity, which means I need add my own table for the sessions. And since people say "making up your own identity framework is stupid", I'm wondering, am I approaching this wrong, or is it not built into the asp.net core identity (why?)?
So after the talk with @Dai in the comments, the question seems to boil down to: How is instant logout achieved in token based apps? And isn't that built in?
It is not built into the Asp.net core Identity because tokens are mainly there for stateless authentication (no db). And how stateless token-based logout is achieved is discussed here.
No db should be used for token based authentication.