For single page applications the access token is stored as a cookie. The cookie needs to be expired in the logout endpoint response. Relates to #26
