Should I revoke the access token on logout from client

GriNick · August 30, 2020, 1:06am

Before asking this question I tried to find out the solution by myself and indeed there is similar question
https://github.com/ory/hydra/issues/1651 but the problem is that I didn’t catch the idea of the given answer. I followed the recommended link, then to one to read first: https://www.ory.sh/hydra/docs/concepts/logout and I saw there the phrase:
This endpoint does not remove any Access/Refresh Tokens..
So I’m still a little confused, that’s why I decided to ask again.

What we have are - a simple SPA client and a Rest server. To authorize a user we use ory Hydra. We use authorization code flow and to certain moment everything works as expected. But what we would like to achieve and don’t fully understand how to do it are:

When some user log out from the client, next time he must go throw login procedure again (including providing his credentials in log in window). This part is more or less clear- it seems to be enough to go through log out flow from the link above.
User must be unable to use his previously given token once he has logged out. But as far as I understood from documentation and playing with different flows the token is not automatically revoked neither on creating a new token no even after successful completing log out flow.

So I would be very grateful for pointing me in right direction. What is the right place and time to revoke an old access token? Do we really need to do it ourselves at some moment of log out flow? And if yes, what is the reason why it isn’t done by ory Hydra itself?

Thanks in advance.

vinckr · August 31, 2020, 1:22am

from an older thread:

Invalidating OAuth2 Tokens when you log out (or update credentials) is not something that’s intended by the protocol. You would never get logged out of e.g. CircleCI when you log out of GitHub, this is true for all of the “Sign in with Google/…” flows. That just doesn’t happen because they are separate companies/systems/developers/…

What you’re looking for is probably more something along OpenID Connect Front/Backchannel logout, which is implemented in Hydra.

If you want to revoke access to a certain application, use the API linked below, it invalidates all tokens.

Everything else is completely abusing an Access Token (proof of authorization) as something that is a “login session” (which is what we have OpenID Connect for)

You can revoke a refresh token using OAuth2 Token Revokation ( https://www.ory.sh/docs/hydra/sdk/api#revoke-oauth2-tokens ) which will revoke the whole chain of tokens (all issued access tokens, all issued refresh tokens) for that specific authorization grant.

If an OAuth2 Client is compromised, you can revoke all tokens for that client (or for the user in general) via: https://www.ory.sh/docs/hydra/sdk/api#revokes-consent-sessions-of-a-subject-for-a-specific-oauth-20-client

Please let me know if that helped

GriNick · August 31, 2020, 1:22am

vinckr, thanks a lot for your explination! At least now I can make a conclusion, that I shouldn’t try to revoke a token on logout and instead just implementing the logout flow is an optimal strategy for my situation.