Help undertsanding the proper use of the logout flows


#1

Hi guys,

I’ve been reading docs trying to understand what series of step needs to be performed when end-user clicks to logout. To provide more context, basically, I have a RESTful API that is to be consumed from several kinds of clients (e.g: web apps,mobile apps).

So from the point of view of a web application: The user can have several sessions (on different machines). If the user logout of a single session other sessions have to remain active and valid. Any of the endpoints mentioned on the guide support that flow because there is a web client (id) unique and global. Therefore, revoking login and/or consent per client-id will immediately revoke other opened sessions.

Most likely I’m missing something here so I’d appreciate your help.

I haven’t tested flows for a mobile app but It would be nice to have some docs/guide explaining the logout flows from each kind of client (or scenario) that Hydra proposes/supports.


#2

Since OIDC / OAuth2 is a federation protocol, the clients have to log out by e.g. removing state from localStorage or by removing a session cookie. Here’s an example to make this more clear: Assuming you’re authorizing an App that requests access to your GitHub account (e.g. CircleCI) via OIDC/OAuth2 - if you log out of GitHub you will not be logged out of CircleCI since those two applications are not linked. If you log out of CircleCI you will also not be logged out of GitHub - the two apps are completely separate.

There are some specs regarding OIDC session management we’re thinking about implementing which would work for SSO log out capabilities but they’re definitely for more advanced use cases.


#3

Thanks for the clarification @arekkas. It would make sense to revoke the OAuth2 token at logout o better just remove it from whatever session storage is being used let it expires?

Lastly, the loging&consent is also confusing because since it’s a separate “application”, it seems that there is also a “session” to be managed there and this one is tied to Hydra admin endpoints as explained in docs.

When (from client users point-of-view and/or client devs) would make sense to (call) revoke these sessions? I think this is what led me to confuse the OIDC /OAuth2 protocol with the session management.


#4

You may revoke them if you want to log out people out of your OAuth2 provider - again, those are different concepts!