Before asking this question I tried to find out the solution by myself and indeed there is similar question
https://github.com/ory/hydra/issues/1651 but the problem is that I didn’t catch the idea of the given answer. I followed the recommended link, then to one to read first: https://www.ory.sh/hydra/docs/concepts/logout and I saw there the phrase:
This endpoint does not remove any Access/Refresh Tokens..
So I’m still a little confused, that’s why I decided to ask again.
What we have are - a simple SPA client and a Rest server. To authorize a user we use ory Hydra. We use authorization code flow and to certain moment everything works as expected. But what we would like to achieve and don’t fully understand how to do it are:
- When some user log out from the client, next time he must go throw login procedure again (including providing his credentials in log in window). This part is more or less clear- it seems to be enough to go through log out flow from the link above.
- User must be unable to use his previously given token once he has logged out. But as far as I understood from documentation and playing with different flows the token is not automatically revoked neither on creating a new token no even after successful completing log out flow.
So I would be very grateful for pointing me in right direction. What is the right place and time to revoke an old access token? Do we really need to do it ourselves at some moment of log out flow? And if yes, what is the reason why it isn’t done by ory Hydra itself?
Thanks in advance.