Session and Logout Flow with Hydra SSO (multiple clients)

[sagarshah1983]

Hello everyone,
I have some specific questions in terms of session management from Auth server and client application point of view and the specific flow of logout to understand how does it work in hydra.

Provided, we are using SSO with Hydra and a user performs login into one application and launches another application (different oauth client) but using SSO (using id_token_hint and/or hydra browser session cookie), when user logs out from one application, how does it work?

• Does it maintain different session for the Hydra/OAuth server and the one for Client application itself?
• During logout, does the user log out from both applications? Can we have user session terminated only from the application/client, where he/she performed logout?
• Can logout just happen at the client application level without talking to Hydra at all? What are the pros/cons of this approach? Can logout url configuration be avoided in Hydra in that case?

Please suggest your views.
Appreciate!

[vinckr]

Hello @sagarshah1983
Hope you are doing well, forgive the late answer to these questions 🙏

1. Does it maintain different session for the Hydra/OAuth server and the one for Client application itself?
   No, but you have two different levels of session in this case - one in the OAuth2 layer at Hydra ( this lets the user do the next OAuth2 request without login), and one in the application layer for the user session (managed by for example something like Ory Kratos)
2. During logout, does the user log out from both applications?
   It would say it makes sense that the user is logged out from both applications which seems to be the default.
3. Can we have user session terminated only from the application/client, where he/she performed logout?
   That should be possible, but I think you manage this in the application sesion layer, not in Hydra.
4. Can logout just happen at the client application level without talking to Hydra at all? What are the pros/cons of this approach?
   Yes I think that would be the default, see 1. I am not sure what cons this approach would have, or how would you do it otherwise?
5. Can logout URL configuration be avoided in Hydra in that case?
   Yes in the above case that handles for example Ory Kratos or similar.

Let me know if something is still unclear.

[vinckr]

Hello @sagarshah1983,
It has been some time, I mark the above as answer now, feel free to post here again if something remained unclear.