Refresh token and logout

Hi there,

When using the logout api /auth/sessions/logout the user is requested it’s credentials when asking for a new token as expected but I am surprised that he can request a new access token using the refresh token issued at login time.

  • request token /oauth2/auth
  • enter credentials using a custom form
  • call /oauth2/token with code to get access, id and refresh token
  • request token /oauth2/auth send code directly without getting credential (remember set to true)
  • call /oauth2/sessions/logout to logout
  • request token /oauth2/auth redirect to form (ok logged out)
  • call /oauth2/token with refresh token return get access, id and refresh token (should no as logged out)

Am I missing something?

Hydra version: 1.4.9

Yes, OAuth2 is not a login protocol. Logging out of GitHub does not log you out of this forum (or CircleCI, TravisCI, …).

Ok, I assume I’ll need to do a logout and call revoke token for one client. The other clients won’t be affected by the logout.

Assuming that a user is signed in on one client, he is signed in on the other clients (when remember set to true). I naïvely thought that when he would signout of one client he would be signed out of the other client as well (which is the case as the cookies are destroyed) but he can still use a refresh token to get an access token.
So you tell me that hydra is not a login protocol but you provide the “skip” boolean on “login request” which look to me like a part of a login protocol…

All of this is confusing.

OAuth2 is not a login protocol. Access Tokens are not a session. There are ways to solve what you want with OpenID Connect such as OpenID Connect Front-/Backchannel logout, which Hydra supports. I’d recommend using something like if you want that.

To me it sounds like you really are looking for a Single Sign On solution. Maybe give ORY Kratos a try, it will also support tokens for API authorization. You can add Hydra with OAuth2 later if you really need OAuth2.

Hi @hackerman, I stumbled upon your comment while looking for information about implementing single sign on using Hydra. Does it mean that Hydra does not support Single Sign On?

I also found this old pull request, but nothing else about SSO+Hydra:

OpenID is a federated SSO protocol. If you want that, Hydra solves that.