Spring Security SecurityContextServerLogoutHandler does not revoke OAuth2 token

Spring Security 5.2.2 org.springframework.security.web.server.authentication.logout.SecurityContextServerLogoutHandlerdoes not revoke OAuth2 token or remove refresh token. See the code below (Spring Boot application with authorization-grant-type: authorization_code).

Should this logout handler be enhanced to take care OAuth2 logout or some other logout handler will take care of token clear up?

SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {    

    ServerLogoutHandler securityContextLogoutHandler = new SecurityContextServerLogoutHandler();            
    ServerLogoutHandler clearSiteDataLogoutHandler = new HeaderWriterServerLogoutHandler(new ClearSiteDataServerHttpHeadersWriter(ClearSiteDataServerHttpHeadersWriter.Directive.COOKIES));
    DelegatingServerLogoutHandler logoutHandler = new DelegatingServerLogoutHandler(securityContextLogoutHandler, clearSiteDataLogoutHandler);

    http
    .oauth2Login().and().logout().logoutUrl("/logout").logoutHandler(logoutHandler);

Comment From: eleftherias

@hanscrg Logging out does not mean that the OAuth2 token is revoked. By design,SecurityContextServerLogoutHandler will remove the security context, but will not revoke the OAuth2 token. If you wish to revoke the the token when a user logs out, you can create a custom ServerLogoutHandler.