Let’s assume some user logs in to any web application (let’s say, https://manage.auth0.com/) using Auth0 via Google-oauth2 and then loses his device he used to log in.
He immidiatelly accesses his Google account from any other device and forces logout from that device. He even goes to security → connected apps and removes that Auth0 app there.
Yet still, auth0 session on that stolen device remains active and getAccessTokenSilently still provides new tokens based on that session (!)
What can that poor user do?
If nothing, what can we do as developers?