Skip to content

Resolve "Re-logging in doesn't require re-authentication after logging out for all apps"

Closes #21 (closed)

This MR implements a logout endpoint that can be used by Hydra. Applications should call the /oauth2/sessions/logout URL when a user tries to log out of the application. Hydra then creates a logout challenge and redirects the browser to the endpoint implemented in this MR. The code here ends the Hydra and Kratos sessions.

What is not implemented:

  1. The dashboard should invalidate the JWT token of the dashboard-specific session
  2. The dashboard should call the oauth2/sessions/logout URL after the JWT token has been invalidated.

We could do both in this endpoint. The result would be that when a user clicks logout in any application (for example Nextcloud), their Dashboard session would also be ended.

Edited by Maarten de Waard

Merge request reports