Refresh token and logout

eskava · May 11, 2020, 11:40am

Hi there,

When using the logout api /auth/sessions/logout the user is requested it’s credentials when asking for a new token as expected but I am surprised that he can request a new access token using the refresh token issued at login time.

request token /oauth2/auth
enter credentials using a custom form
call /oauth2/token with code to get access, id and refresh token
request token /oauth2/auth send code directly without getting credential (remember set to true)
call /oauth2/sessions/logout to logout
request token /oauth2/auth redirect to form (ok logged out)
call /oauth2/token with refresh token return get access, id and refresh token (should no as logged out)

Am I missing something?

Hydra version: 1.4.9

hackerman · May 11, 2020, 8:35pm

Yes, OAuth2 is not a login protocol. Logging out of GitHub does not log you out of this forum (or CircleCI, TravisCI, …).

eskava · May 12, 2020, 6:29am

Ok, I assume I’ll need to do a logout and call revoke token for one client. The other clients won’t be affected by the logout.

Assuming that a user is signed in on one client, he is signed in on the other clients (when remember set to true). I naïvely thought that when he would signout of one client he would be signed out of the other client as well (which is the case as the cookies are destroyed) but he can still use a refresh token to get an access token.
So you tell me that hydra is not a login protocol but you provide the “skip” boolean on “login request” which look to me like a part of a login protocol…

All of this is confusing.

hackerman · May 12, 2020, 7:16am

OAuth2 is not a login protocol. Access Tokens are not a session. There are ways to solve what you want with OpenID Connect such as OpenID Connect Front-/Backchannel logout, which Hydra supports. I’d recommend using something like https://github.com/panva/node-openid-client if you want that.

To me it sounds like you really are looking for a Single Sign On solution. Maybe give ORY Kratos a try, it will also support tokens for API authorization. You can add Hydra with OAuth2 later if you really need OAuth2.

har07 · July 14, 2020, 10:28am

Hi @hackerman, I stumbled upon your comment while looking for information about implementing single sign on using Hydra. Does it mean that Hydra does not support Single Sign On?

I also found this old pull request, but nothing else about SSO+Hydra: https://github.com/ory/hydra/pull/6

hackerman · July 14, 2020, 11:40am

OpenID is a federated SSO protocol. If you want that, Hydra solves that.