Log out from first-party applications

kdi-1 · November 13, 2019, 12:45pm

Hi,
I want to know how to log out rigth way in our first-party web and SPA applications?

We implemented our own login and consent provider(thanks ORY for great examples) and configured Hydra.
We’re going to use an id token for authentication (user attributes) and an access token(and refresh token) for authorization(permissions) to access our API.

As I can see there are 3 components in the log out process:

Session logout(front or back-channel) - as mentioned in Hydra documentation https://www.ory.sh/docs/hydra/implementing-consent#user-logout
After that user must re-enter password
Access token revocation through https://www.ory.sh/docs/hydra/sdk/api#revoke-oauth2-tokens
After that access token cannot be used for request API - failed after introspection.
Delete tokens locally in the application.

How to combine these components correctly?
Maybe is there an example? Or maybe has any hint regarding to what should be done?

Thank you.

rahulagrawal · November 20, 2019, 11:17am

I am also looking for guidance and recommendations on this. Thanks.

michaeld · December 31, 2019, 10:15am

For our first-party app, we do #2 and #3
We have a logout endpoint and we first revoke the access/refresh tokens on Hydra, then clear the cookies and redirect to the sign-in page.

I think that #1 is less relevant for first-party apps. In third-party apps there is a user logged into an application (an RP) that authenticated against an OP. The user needs to logout of the RP and OP in such a manner as to ensure that if the user goes back to the RP URL, then the user will be prompted for credentials again.

hackerman · January 7, 2020, 9:17pm

Well said michaeld!