I have been working on a Single Page application (SPA) using Thinktecture Identity server V2 and OAuth2.
I am currently using the implicit flow the workflow as follows, 1. The SPA requests an access token for the Identity server. 2. the token is attached to the header that allows access to the web api
The problem is that there is no way to invalidate tokens.
I have read that OpenId Connect and thinktecture 3 have a signout endpoint the question I have is how does this invalidate the token does the web api have to call the identity server every time to check the validity of the token.
