I am using Hydra for first party app.
I do not manage a session, I rely on Hydra for that. So you can say the access/refresh tokens hold the session.
Therefor, to invalidate other sessions for a user, I need to invalidate all other access tokens.
There’s an api to delete all login sessions for a specific subject:
Maybe need an api to get all login session for a subject
So that I can delete specific ones:
Or something of that sort.
I am not sure if that is something you consider in Hydra’s scope or not. I think the use case is valid, it is common to log out all other connected users in password reset flows. But the use oh Hydra for first party app is less common I guess.
Another work around is to bypass Hydra’s api and do it directly on Hydra’s database