Hi all,
Sorry for digging up this post, but I have another use case that may need the requested feature of specific login session revocation.
When the user check the remember checkbox in my login page, I tell hydra to remember the user for, let’s say, a week in the login accept request. Which means that during a week, at each times the user will want to authorize a new application it will be automatically logged in and redirected to the consent page.
On this consent page I would like to display a button switch account, in order to give to the user the possibility to change the currently connected account.
The way I handle this feature currently is by getting the consent request information with the GET /oauth2/auth/requests/consent
request, then I use DELETE /oauth2/auth/sessions/login
with the Subject
I retrieved in the GET call.
And then I redirect the user to RequestURL
which I also retrieved in the get consent information call. (RequestURL contain the original url used on the authorization endpoint)
The problem with this way of doing is that I revoke all the login session of the user, which means that if he is connected on his laptop and his smartphone, if he click the switch account button on his laptop, he will also be disconnected on his smartphone.
The reason I think the capacity of revoking specific session would be useful is that in the get consent information call, I retrieve the login session of the currently logged-in user. So instead of revoking all his session I could be able to revoke only it’s current session.
Also, as it’s one of my major concerns currently, I can be up for developping the feature and proposing a PR if you are ok with the requested feature.