OAuth2 with AuthorizationCode is using old/cached AuthCode when logging-out/logging-in

[vladislav-krastev]

Hello!

EDDIT: for completeness, I'm using FastAPI, the relevant (same) question I asked there: 13012
Will make sure to update and close both threads when their is an answer in either one.

Logging-in and Logging-out is done via the big green 'Authorize' button.

The first logging-in correctly fetches a new AuthCode from the OAuth provider.
However, Logging-out and Logging-in again (without refreshing the page or doing anything else) doesn't hit the authorizationUrl anymore, and just reuses whatever AuthCode was obtained on the first logging-in.
Refreshing the page, clicking the big green 'Authorize' button again and logging-in again seems to 'fix' it as it correctly hits the authorizationUrl and gets a new AuthCode.

Testing it out with a local path for the tokenUrl param, which just manually resends the body to the real tokenUrl of the provider to obtain the AccessToken.
Observing the received request from the SwaggerUI form to the local tokenUrl path has the correct body (spaces and new lines inserted for readability):

grant_type=authorization_code & 
code={a new value only on first logging-in, always the same value on subsequent logins after that} & 
client_id={correct CLIENT_ID} & 
client_secret={correct CLIENT_SECRET} & 
redirect_uri=http%3A%2F%2Flocalhost%3A8082%2Fauth%2Foauth2-redirect%2Fgoogle

Again, on the first login everything works fine and as expected.

Is this AuthCode caching on purpose, by design? Is there a way to disable it and force a request to the authorizationUrl each time someone's logging in?

Thank you in advance!