Hi,
I’m doing a server-side verification. For testing purposes, I record the idTokens. I login as a user, sends a request to my backend and I make a server-side verification using app_pub_key and idToken of the user. Then I logout, but using the old idToken (which should be revoked), the user is authorized in my backend again. How can I prevent this behaviour? If a user logs out before the expiration date of the idToken, the old idTokens can be used for backend authorization which is not a good security practice ofc.
What do you recommend?
Thanks,