Background
We have multiple web applications developed on various platforms(Client Side Angular and Server Side .NET MVC) to be exact. All the applications have their own ClientID but all the applications share the same Audience because they need to fetch data from the same API. This allows same user to be logged into multiple applications at the same time.
Requirement
When the user logs out from one application, they should be logged out of all the applications.
Issue
If we have two tabs opened and we log out from the Angular application and click on the next tab(.NET MVC app) and hit refresh, the application still opens up and fetches the data with the existing access_token since the application session is still available on the browser and the token has not yet expired. We want to prevent this behavior.
Expected Solution
Is it possible to check if the user has logged out without calling the /authorize URL in other words(without leaving the domain)? I only want to call /authorize if the remote session is no longer available. The other issue with calling /authorize is I get into an infinite loop. The handler to call the /authorize is on the middleware of the root path so when I come back to root URL after fetching code from callback URL, I get into the same condition and the code calls /authorize again.
Any suggestions is greatly appreciated.