Full logout is expected when Access Token is revoked via the revocation endpoint, however, tests are showing that when the Access Token is revoked, the user can replay a previous request and obtain a new Access Token.  Is it possible to fully invalidate the user's session with a single visit to the revocation endpoint?

Release : ALL

1. A revocation of ID Token will revoke both Access Token and Refresh Token.

2. A Revoked Refresh Token will automatically revoke all Access Tokens issued by that Refresh Token.

3. A revoked Access Token, does not revoke the Refresh Token.  Per the OIDC spec, revoking the Refresh Token when the Access Token is revoked is optional and not mandated:

Depending on the authorization server's revocation policy, the revocation of a particular token may cause the revocation of related tokens and the underlying authorization grant.  If the particular token is a Refresh Token and the authorization server supports the revocation of Access Tokens, then the authorization server SHOULD also invalidate all Access Tokens based on the same authorization grant.  If the token passed to the request is an Access Token, the server MAY revoke the respective Refresh Token as well.