How to delete user's all devices login session

[Wilmast]

The "User A" has 2 devices and login to the system

1. Mobile phone with Chrome
2. Computer with Chrome browser

So he has 2 login session (session cookie) in two different device
if we would like to implement logout all devices feature

Can we use DELETE /oauth2/auth/sessions/login to invalidates All of "User A" login session?
https://www.ory.sh/hydra/docs/reference/api/#operation/revokeAuthenticationSession

Moreover, how can we revoke all of "User A" access token and refresh token?

Thank for help and support

[vinckr]

Hello @Wilmast
Many apologies for the late answer!

This is not easy to pull off if you are using an OAuth2.0 based flow.
It does not make sense to revoke the refresh token to invalidate a session.
I recommend taking a look at these documents:
Access and Refresh Tokens are not Sessions!
A bit more controversial but worth a read:
Why you probably do not need OAuth2 / OpenID Connect

[pflipp]

@vinckr as hydra manages authentication sessions (sets a cookie on the device, passes the skip to the next login request, etc)

i think hydra should be clear here and either stop managing authentication sessions at all or provide a little more flexibility for authentication session management then the existing "invalidate all authentication sessions" (list sessions for subject & delete session by id)

[vinckr]

Hello @pflipp
Apologies for not being clear. I think the confusion here is a function of the complexity of OAuth2.0. We do have this document going a bit into the different session layers

• Your Application's Session Manager keeps track of the user within your application. You will use OpenID Connect to initiate and complete the login, but your application needs to store and track and invalidate the session.
• Ory Hydra maintains a session cookie. When a user signs in, the cookie will be set for that user. This allows the next OAuth2 request to complete without requesting the user to sign in again.
• Optionally - If your application connects to a third-party identity provider (e.g. Sign in with Google, GitHub, Facebook, ...) that third party provider also maintains a session of the user.

You are referring to the Application level session.
Ory Hydra is managing the consent session.

For example: You add CircleCI to your account in GitHub. This requires you to sign into GitHub. Once access is granted, CircleCI creates a new user account in their database and generates a session cookie -> this is the application session!
If you know log out of GitHub, you are still logged into CircleCI!

It would be crazy if some app could just log you out of GitHub, or if signing out of Google would invalidate your sessions on all the websites where you used "Sign in with Google".

Ory Kratos implements the features for application level sessions that you mentioned above.

[pflipp]

hey @vinckr

i'm refrencing to

Ory Hydra maintains a session cookie. When a user signs in, the cookie will be set for that user. This allows the next OAuth2 request to complete without requesting the user to sign in again.

so i have multiple devices (D1 & D2) and also use github to authenticate to different apps (App1 & App2). I used D1 to authenticate to App1. now i lost the device D1, so i use D2, go to the github session list and revoke the session from D1. totally clear that the application session from App1 still active (and has to be invalidated in App1). now a person unlocked D1, goes to App2 and, of course, has to enter credentials.

everything i wan't is to be able to avoid the automatically login on specific devices and not invalidating consent sessions / tokens etc.

currently we do this with a button that calls the "Invalidate All Login Sessions" endpoint and this is fine for D1, but not for all the other devices like D2 which i use right now.

[vinckr]

Hey @pflipp
So sorry about the late response.

Ory Hydra maintains a session cookie. When a user signs in, the cookie will be set for that user. This allows the next OAuth2 request to complete without requesting the user to sign in again.

What you are talking about is still a different part of the application I think - the user session in your application would be handled by the identity management layer. In the example with "login with GitHub" Hydra would be on the GitHub side and provide the OAuth2 flows for $MYAPPP (github doesn't implement OIDC here but that is a different story) - so $MYAPP has to handle store/track/invalidate the session.
The feature you propose would be that GitHub is able to log users out of $MYAPP - but that are two different things

If you want to solve sign up, login, session management -> Ory Kratos

Maybe we can take this to a new discussion if there is still something unclear?

[pflipp]

Thank @vinckr for coming back to me.

I really do not want to invalidate the session of $MYAPP, this is totally of the scope in this discussion. I "just" want to invalidate, in this example, a GitHub Session that was initiated from another device.

since time goes by, lot of work were done for hydra session management, and the are some open PR's ( like #2876 ) which makes me confident to solve this use case in hydra v2 ;)