Revoking client access


#1

Hello.

I’ve been playing around with Hydra for a while now. I have created a consent app, everything is fine on that front.

Now I came to the part where I want to allow my Users to manage the access they had given out (specifically offline access / refresh tokens). Just like for example Google allows to see what Apps have access to your Google Account, and revoke it.

I’m trying to make my consent app a full fledged account management app, again, similar to what you see in Google Account if your login directly (2FA, app access management etc).

I don’t see any functionality in Hydra that would allow to do this. I know that token revocation is possible, but then I need the specific access/refresh token. My question is how do I lookup all the refresh/access tokens for a specific subject to allow the mentioned subject to selectively revoke those tokens?

I understand this might have security concerns, but then how does Google do it?

For functionality I need to get the tokens to pass to revocation endpoint and related client details to show to the user what token is used for what client.

I looked at the database structure and everything seems there to just grab and use. I can in fact patch in the functionality I need (although my Go knowledge is limited), but I was wondering whether you had planned such functionality at all? Or rejected it for some reason?

Maybe I’m missing some crucial point here (security related or otherwise).

I guess another way would be to store all the needed info on the consent app side, after consent acceptance. But then there’s the possibility of inconsistencies across the multiple databases, which I’d like to avoid.


#2

You’re probably looking for this issue: https://github.com/ory/hydra/issues/304


#3

And also: https://github.com/ory/hydra/pull/720