We're creating B2B software that contains web-frontends which will be used oftenly by different users on one and the same browser-instance and on the same windows-user-session as well.
The users are meant to "log out" of our web-frontend by using our log-out functionality. This makes sure the access-tokens are removed from browser storage so that the website cannot authenticate anymore against our identity-provider, which is based on IdentityServer4.
Lately we got a security engineer checking for different vulnerabilities of this.
He told us that since we're using Hybrid-Flow or Implicit-Flow with IdentityServer4, we got a session-hijacking vulnerability, because these flows transfer the resulting access-token of a login using the callback URL to the site where the user logs in.
We have this vulnerability in our specific use-case, because we may be able to delete access-tokens in browser-storage for our websites, but these tokens will still reside in the history of the browser because called urls will be kept there. And our users will definetely use the same browser instance and thus the same windows-user-session as mentioned before.
Our websites log-out logic cannot access the browsers history - since it is separate for security reasons of course.
I would like to know: Is this scenario (multiple users using one windows-session) entirely not supported by IdentityServer4 in the first place or is there a way to not transmit the Access-Token using the Callback URL but instead in a different way that will not result in the access token being stored in the browser-history?