So a question:
Let’s assume you implement https://auth0.com/docs/architecture-scenarios/application/spa-api.
- Since this is an SPA we are storing the access token in local storage
- So a user who digs around can locate these access tokens and store it
- Then the user logs out.
- However they can still make any call to backend APIs until the token expires
Isn’t this a fundamental problem? from a high level the user has logged out yet he/she is able to make API calls.