Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Admin endpoint to delete the sessions and trigger backchannel logout for a subject #1693

Open
mohsen3 opened this issue Jan 14, 2020 · 0 comments

Comments

@mohsen3
Copy link

@mohsen3 mohsen3 commented Jan 14, 2020

Is your feature request related to a problem? Please describe.

There are cases that we need to force log out a user from all the first-party client applications, e.g., when users reset their password or admins of the account want to revoke a user from a firm.
Hydra already has an endpoint that allows us to delete the existing sessions for a specific user from Hydra, but per documentation:

will require the user to re-authenticate when performing the next OAuth 2.0 Authorize Code Flow

The documentation explicitly says that

This endpoint is not compatible with OpenID Connect Front-/Backchannel logout and does not revoke any tokens.

What I am looking for is to invalidate all the existing sessions in the client applications, that have the backchannel logout implemented, immediately (not on next flow execution).

Describe the solution you'd like

Add an additional parameter (e.g., trigger_logout=true) to the existing endpoint that allows us to trigger a backchannel logout once the subject's sessions are removed.

Describe alternatives you've considered

  • Add a new endpoint to the API: functionality has some overlap with the existing API endpoint. I am not sure if that is a good idea.

Additional context

I have already had a discussion about this issue on the forum.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.