I have built a set up where authentication is performed in a front end application and the resulting access token is used for authenticating the user with the back end API. Now, if a user were to logout, the access token is still valid and therefore, the user is able to perform API actions even if the user is logged out. So, is there any way to explicitly invalidate a user’s access token when the user logs out?
Also, we have another workflow where a user’s session must be terminated when a system administrator requests a password reset for a user in our application back end. So, how do we invalidate the target user’s access token in this case?