I apologize if this is more of a general OAuth2 related question.
My current project is to set up an OAuth2 system using Hydra, but it will initially only be used for first-party apps. Is there anyone in this community who has done this? Is using Hydra with first-party apps viable?
So far I am very impressed with Hydra, and I think it provides a very robust service that also allows for quite a lot of customization. But during my work, I can’t help but feel like there are cases where using only OAuth2 tokens would create issues, because it cant always take details from the Identity Provider into consideration. For example, from looking at the documents, it seems like an issue could arise when a user updates their password in the follow case:
If the user is logged in and changes their password from inside the application, there is no way to invalidate other sessions tied to that user.
This may be a lack of understanding on my part, but is it common to tie OAuth2 access tokens to a local session system in order to provide more granular control over a user’s session? Or do the OAuth2 specifications provide all the control you need? How are people using Hydra handling this?
My current view of OAuth2 is to mainly be a method for authenticating a user via a third party system without having to gain access to that user’s credentials, but I have talked to others who say it is a viable first-party authentication system.
I would really appreciate any insight from the community!