OAuth flow imperfection - not, this is cookie lifetime

Hi koszmarnica

You're right that a user has to log in to the site (aka authentication) to give a third party app authorization to access their data.

Your app has it's own independent authentication.

When you log out of your app, they are de-authenticating themselves from your app, not from the PoE website. Allowing apps to log users out of the PoE website would be a security concern.

Your app has no control over how users authenticate with the PoE website.

You can read more about oAuth (and it's common misconceptions) here: https://oauth.net/articles/authentication/