feat(core): revoke grant by grantId

[simeng-li]

Summary

Implement grant revocation by grantId Management API, including ownership validation and OIDC-session authorization cleanup.

• Added DELETE /users/:userId/grants/:grantId.
• Validates the target grant exists and belongs to :userId; otherwise returns oidc.invalid_grant (404).
• If the grant has already expired, the endpoint returns success without failure (idempotent behavior).
• Revocation uses OIDC model chain cleanup (AccessToken, RefreshToken, AuthorizationCode, DeviceCode, BackchannelAuthenticationRequest, and Grant destroy).
• After revocation, removes the related authorization entry from the associated active session by grantId, then resets/persists session identifier (aligned with client-scoped end-session cleanup semantics).
• Added dedicated error codes for clearer failure diagnostics:
  • oidc.failed_to_revoke_grant
  • oidc.failed_to_cleanup_session_authorization

Testing

Integration test added

Checklist

• .changeset
• unit tests
• integration tests
• necessary TSDoc comments

[github-actions]

COMPARE TO master

Total Size Diff ⚠️ 📈 +28.1 KB

Diff by File

Name	Diff
packages/console/src/consts/webhooks.test.ts	📈 +447 Bytes
packages/console/src/consts/webhooks.ts	📈 +156 Bytes
packages/console/src/pages/Mfa/MfaForm/index.tsx	📈 +531 Bytes
packages/console/src/pages/Mfa/MfaForm/utils.test.ts	📈 +349 Bytes
packages/console/src/pages/Mfa/MfaForm/utils.ts	📈 +90 Bytes
packages/core/src/mocks/oidc-grant.ts	📈 +420 Bytes
packages/core/src/libraries/session.test.ts	📈 +6.8 KB
packages/core/src/libraries/session.ts	📈 +3.6 KB
packages/core/src/oidc/extra-token-claims.test.ts	📈 +2.61 KB
packages/core/src/queries/oidc-model-instance.test.ts	📈 +3.13 KB
packages/core/src/queries/oidc-model-instance.ts	📈 +2.07 KB
packages/core/src/queries/oidc-session-extensions.ts	📈 +874 Bytes
packages/core/src/routes/admin-user/grants.openapi.json	📈 +1.62 KB
packages/core/src/routes/admin-user/grants.ts	📈 +2.3 KB
packages/core/src/routes/admin-user/index.ts	📈 +81 Bytes
packages/core/src/routes/experience/classes/experience-interaction.adaptive-mfa.test.ts	📈 +832 Bytes
packages/core/src/routes/experience/classes/experience-interaction.test.ts	📈 +72 Bytes
packages/core/src/routes/experience/classes/experience-interaction.ts	📈 +103 Bytes
packages/core/src/routes/experience/classes/libraries/adaptive-mfa-validator/index.test.ts	📈 +1.1 KB
packages/core/src/routes/experience/classes/libraries/adaptive-mfa-validator/index.ts	📈 +320 Bytes
packages/core/src/routes/experience/index.test.ts	📈 +63 Bytes
packages/core/src/routes/hook.test.ts	📈 +266 Bytes
packages/core/src/routes/hook.ts	📈 +901 Bytes
packages/core/src/routes/sign-in-experience/index.test.ts	📈 +310 Bytes
packages/core/src/routes/sign-in-experience/index.ts	📈 +359 Bytes
packages/core/src/routes/swagger/utils/documents.ts	📈 +13 Bytes
packages/integration-tests/src/api/admin-user.ts	📈 +493 Bytes
packages/integration-tests/src/helpers/hook.ts	📈 +214 Bytes
packages/integration-tests/src/tests/api/experience-api/sign-in-interaction/adaptive-mfa.test.ts	📈 +630 Bytes
packages/integration-tests/src/tests/api/hook/hook.test.ts	📈 +189 Bytes
packages/integration-tests/src/tests/api/hook/hook.trigger.experience.adaptive-mfa.test.ts	📈 +381 Bytes
packages/integration-tests/src/tests/api/oidc/get-access-token.test.ts	📈 +1.44 KB
packages/integration-tests/src/tests/api/sessions/index.test.ts	📈 +4.03 KB
packages/integration-tests/src/tests/api/sign-in-experience.test.ts	📈 +312 Bytes
packages/phrases/src/locales/ar/errors/oidc.ts	📈 +160 Bytes
packages/phrases/src/locales/de/errors/oidc.ts	📈 +185 Bytes
packages/phrases/src/locales/en/errors/oidc.ts	📈 +141 Bytes
packages/phrases/src/locales/es/errors/oidc.ts	📈 +160 Bytes
packages/phrases/src/locales/fr/errors/oidc.ts	📈 +169 Bytes
packages/phrases/src/locales/it/errors/oidc.ts	📈 +166 Bytes
packages/phrases/src/locales/ja/errors/oidc.ts	📈 +191 Bytes
packages/phrases/src/locales/ko/errors/oidc.ts	📈 +150 Bytes
packages/phrases/src/locales/pl-pl/errors/oidc.ts	📈 +163 Bytes
packages/phrases/src/locales/pt-br/errors/oidc.ts	📈 +150 Bytes
packages/phrases/src/locales/pt-pt/errors/oidc.ts	📈 +150 Bytes
packages/phrases/src/locales/ru/errors/oidc.ts	📈 +198 Bytes
packages/phrases/src/locales/th/errors/oidc.ts	📈 +254 Bytes
packages/phrases/src/locales/tr-tr/errors/oidc.ts	📈 +136 Bytes
packages/phrases/src/locales/zh-cn/errors/oidc.ts	📈 +131 Bytes
packages/phrases/src/locales/zh-hk/errors/oidc.ts	📈 +131 Bytes
packages/phrases/src/locales/zh-tw/errors/oidc.ts	📈 +131 Bytes
packages/schemas/alterations/next-1772621060-add-oidc-model-instances-grant-account-id-index.ts	📈 +902 Bytes
packages/schemas/src/types/user-sessions.ts	📈 +779 Bytes
packages/schemas/tables/oidc_model_instances.sql	📈 +177 Bytes

[Copilot]

Pull request overview

Adds Management API support for listing and revoking a user’s OIDC application grants by grantId, including token-chain revocation and cleanup of the corresponding session authorization entry. This extends the existing session-management capabilities with grant-level controls (currently implemented as dev-feature routes in core).

Changes:

• Add dev-feature Management API routes to list active user grants (with app-type filter) and revoke a grant by grantId.
• Implement queries/library logic to fetch active grants, revoke the OIDC token chain, and remove the related session authorization entry.
• Add schema types/guards, i18n error phrases, DB index + alteration, and integration/unit test coverage.

Reviewed changes

Copilot reviewed 24 out of 24 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
packages/schemas/tables/oidc_model_instances.sql	Adds base-schema index for active Grant lookup by accountId/expiry.
packages/schemas/src/types/user-sessions.ts	Introduces Zod guards/types for “user application grants” API responses.
packages/schemas/alterations/next-1772621060-add-oidc-model-instances-grant-account-id-index.ts	Adds concurrent migration to create/drop the new Grant index.
packages/phrases/src/locales/*/errors/oidc.ts	Adds localized strings for new OIDC error codes.
packages/integration-tests/src/tests/api/sessions/index.test.ts	Adds integration tests for listing grants + revoking a grant by grantId.
packages/integration-tests/src/api/admin-user.ts	Adds admin API helpers for grants list + grant revocation.
packages/core/src/routes/admin-user/session.ts	Adds dev-feature routes for grants list/revoke and maps failures to new error codes.
packages/core/src/routes/admin-user/session.openapi.json	Documents the new dev-feature endpoints in OpenAPI.
packages/core/src/queries/oidc-session-extensions.ts	Adds query to locate an active session UID containing an authorization entry with a given grantId.
packages/core/src/queries/oidc-model-instance.ts	Adds query to list active Grant instances by user with optional first/third-party filtering.
packages/core/src/queries/oidc-model-instance.test.ts	Adds unit tests validating the new grants query SQL.
packages/core/src/libraries/session.ts	Implements grant formatting, grant-chain revocation helper, grant revocation by id, and session authorization cleanup by grantId.
packages/core/src/libraries/session.test.ts	Adds unit tests for revoking a grant by id and removing session authorization by grantId.
packages/core/src/mocks/oidc-grant.ts	Adds a mock helper for grant instances used by query tests.

Comments suppressed due to low confidence (1)

packages/core/src/routes/admin-user/session.ts:47

• This endpoint is registered only when EnvSet.values.isDevFeaturesEnabled is true, but the PR description presents it as a general Management API addition. If this is intended to be dev-only, please reflect that in the PR description/summary; otherwise, consider removing the dev-feature gating (and the OpenAPI dev tag).

  if (EnvSet.values.isDevFeaturesEnabled) {
    router.get(

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.