From the docs (Server Administration Guide):
“Users can view and revoke offline tokens that have been granted by them in the User Account Service. The admin user can revoke offline tokens for individual users in admin console in the
Consents tab of a particular user. The admin can also view all the offline tokens issued in the
Offline Access tab of each client. Offline tokens can also be revoked by setting a revocation policy.”
So, it looks like the admin can revoke individual tokens or all tokens at once.
If you want the user to do it as part of a logout, you should be able to call the User Account REST Service to do the same thing:
- Figure out which returned session is the offline session