I want to know how to log out rigth way in our first-party web and SPA applications?
We implemented our own login and consent provider(thanks ORY for great examples) and configured Hydra.
We’re going to use an id token for authentication (user attributes) and an access token(and refresh token) for authorization(permissions) to access our API.
As I can see there are 3 components in the log out process:
- Session logout(front or back-channel) - as mentioned in Hydra documentation https://www.ory.sh/docs/hydra/implementing-consent#user-logout
After that user must re-enter password
- Access token revocation through https://www.ory.sh/docs/hydra/sdk/api#revoke-oauth2-tokens
After that access token cannot be used for request API - failed after introspection.
- Delete tokens locally in the application.
How to combine these components correctly?
Maybe is there an example? Or maybe has any hint regarding to what should be done?