Is your feature request related to a problem? Please describe.
There are cases that we need to force log out a user from all the first-party client applications, e.g., when users reset their password or admins of the account want to revoke a user from a firm.
Hydra already has an endpoint that allows us to delete the existing sessions for a specific user from Hydra, but per documentation:
will require the user to re-authenticate when performing the next OAuth 2.0 Authorize Code Flow
The documentation explicitly says that
This endpoint is not compatible with OpenID Connect Front-/Backchannel logout and does not revoke any tokens.
What I am looking for is to invalidate all the existing sessions in the client applications, that have the backchannel logout implemented, immediately (not on next flow execution).
Describe the solution you'd like
Add an additional parameter (e.g., trigger_logout=true) to the existing endpoint that allows us to trigger a backchannel logout once the subject's sessions are removed.
Describe alternatives you've considered
Additional context
I have already had a discussion about this issue on the forum.
Any feedback on this issue?
Sorry, forgot to triage. Definitely makes sense to have such an endpoint in the Admin API. I think implementation will be some work because we have to enumerate all the clients that authenticated.
Please always keep in mind that this is not a forced logout for those apps but more like a "hey just in case you want to know we've logged out the user do whatever you want with this info", meaning that people may still be signed in (due to a bug or a lack of caring by the dev) even though they updated their password.
There are few 3d-party scenarios that I know of where "global logout" would be a thing.
Thank you @aeneasr! That makes sense to me. I think with OAuth/OIDC that's the best we can do. For sure, third party apps need to implement backchannel logout and need to handle the logout request properly.
This can not actually work using the Admin port, as Frontend Logout will not work there (we need to render javascript in a browser).
Having global logout exposed publicly can easily lead to a denial of service attack. Not sure how to fix this?
I think frontchannel logout does not work and don't see a way to do it. It's only about backchannel logout. And it's mostly about first-party apps where you trust the implementation. This is actually our use case too: we have an SSO service implemented using Hydra with a bunch of other first-party apps using the SSO service. Once the password of a user is changed or in some cases admin kicks out a user out of system, we need to log the user out of all services.
Hey! What do you think about this? Does it make sense? If you are OK with this approach, I can make a PR.
Sorry for the late reply! I will check if there's a recommendation from OpenID on how to approach this, maybe there's already a spec in the working for this exact use case!
Hey, any new thoughts?
Sorry again for keeping you waiting. I actually forgot to ask in the OpenID User Group but have set myself a reminder to not forget it again ;)
Hey @aeneasr, any update?
Sorry, I just sent the email to OIDC mailing list. I don't think that there will be a standard but let's see :)
I have not seen such a feature in OIDC documents either. Any update from the mailing list?
Yeah so after some back-and-forth there appears nothing to be that addresses this. So I guess we need to come up with our own! I think your initial suggestion would make sense to be added to the Admin Revoke Login Session API Endpoint!
Would you be open to work on this?
Yes, I can open a PR, but it probably takes a couple of weeks since I am currently busy with something else.
Hey @mohsen3 , I am sure you are quite busy, are you still up for contributing on this?
@vinckr I love to contribute but unfortunately I cannot guarantee any timeline for this ATM.
Most helpful comment
Sorry again for keeping you waiting. I actually forgot to ask in the OpenID User Group but have set myself a reminder to not forget it again ;)