Is there a "logout" piece of the Authorization Code Flow?

In my app, when the user logs out, I reset the session which deletes all of the data stored in the current user session and also generates a new session id. Which all seems to be working great.

Where I’m confused is when the user chooses to login again, they aren’t prompted to input their username and password with Blizz again. Rather, some “magic” is happening where the same auth token is retrieved again and the user is logged back in.

It feels like when the user logs out and then chooses to log back in, there should be some kind of engagement from the user to re-authenticate. For example, if I wanted to login as a completely different user in my browser right now, I can’t.

So I’m wondering if there’s a “logout of blizz” piece that I’m missing? :thinking:

What you described is known as Single Sign On, if the user is already authenticated with Blizzard (the OAuth2 provider) the user does not have to sing in again.
This is by design and used by many providers. If the user wants to use a different account they must first sign out of their Blizzard account.