Feature: Remove refresh token from Active devices on logout
Description: When a user logs out of a SPA, calling the logout endpoint does not revoke the refresh token. This leaves it available for use if it is compromised on the client-side or in transit. The revoke refresh token endpoint can be called, separately, but it would be good to remove the refresh token for the device on logout.
Use-case: We’re building a SaaS AI SPA and use Auth0 to protect access to our resource APIs.