How to logout the users after password reset?

After password reset, I want to log the user out of all the apps. I want to do it using the backchannel so I can make sure all the sessions are invalidated. But since it needs to be done from the backchannel, there is no active session. The backchannel logout oauth2/sessions/logout requires either an active session or an id_token_hint . I can list the active sessions using /auth/sessions/consent?subject=string endpoint, but there is no id_token in it to use as a hint. Is there a better way to achieve this or I need to do a front channel request?

Have you tried

@michaeld Thank you for your reply. This actually

will require the user to re-authenticate when performing the next OAuth 2.0 Authorize Code Flow

But what I am looking for is to invalidate all the existing sessions in the client applications immediately (not on next flow execution). We have already implemented the backchannel logout for our services, so I wonder if there is a way to trigger backchannel logout through the Hydra admin API (not through the front channel)?

Note that the doc you linked explicitly says that

This endpoint is not compatible with OpenID Connect Front-/Backchannel logout and does not revoke any tokens.

There is currently no such API to trigger this from the admin endpoint but I do think that there’s a need for it. It would be triggered when, for example, the password is changed.

Keep in mind that FC/BC logout is not enforcable on third parties - they may or may not log people out. So this only truly works for first-party apps where you trust the implementation (and the tests :wink: )

We can set up an issue in hydra and subsequent discussion and PR - who’s up for it? :slight_smile:

I created an issue

Thank you!

1 Like