/oauth2/revoke api should invoke consent-app callback


#1

Hi, base on /oauth2/revoke API. How does Ory Hydra call consent-app to confirm or notice for clean caching for the session on the web browser?
Because after revoking access token. Then as login again it comes to page grant scope instead of login page.


#2

Access tokens are not “logging someone in”. So there is no need to let the consent app know if a token is revoked. Imagine if, every time some application revokes your Google access tokens, you would be logged out of Google, Google Mail, Google Calendar, Youtube, … - how annoying would that be?


#3

There is scenario which I don’t know how to handler with consent app. I explain step by step.

  1. User request login --> Display login page (consent app)
  2. User push username/password then press login.
  3. On Consent App. I validate user login then store information in caching and set cookie session. Then invoke redirect to consent.
  4. The consent-page display validation by cookie session and asking for grant scope: open-id email profile.
  5. Access/refresh/id token return to client.

When revoking access token. It’s ok, then user login again. The cookie session still available on browser then it go to consent-screen grant scope instead of login as step 1.
So how I can pass information during flow on consent app from /login-method post to /consent


#4

The client and your consent app are completely separate things. If you log out of your client, you don’t log out of your consent app. The client might be a third party client (I wrote that) and you would not want your users to be logged out of your system if they log out of my app.

That said, you can force re-authentication using the prompt OpenID Connect parameter. Also, version 1.0.0 of ORY Hydra will have better support for session management (party!)!