AT and consents revocation
OIDC Access Token still be usable when the user revoked its consents.
No logs available but you can reproduce the use case :
1/ Get an authorization code with oauth2/authorize endpoint (give your consents)
2/ Then request an access_token and id_token through oauth2/token endpoint
3/ Connect to the lemonldap Webui and revoke your consents
4/ You can still use the access_token of point 2 to request oauth2/getuserinfo endpoint even if you revoke your consents
Delete access_token when consents are revoked