Resolve "Re-logging in doesn't require re-authentication after logging out for all apps" (!69) · Merge requests · stackspin / dashboard backend

Maarten de Waard requested to merge 21-re-logging-in-doesn-t-require-re-authentication-after-logging-out-for-all-apps into main May 03, 2022

Closes #21 (closed)

This MR implements a logout endpoint that can be used by Hydra. Applications should call the /oauth2/sessions/logout URL when a user tries to log out of the application. Hydra then creates a logout challenge and redirects the browser to the endpoint implemented in this MR. The code here ends the Hydra and Kratos sessions.

What is not implemented:

The dashboard should invalidate the JWT token of the dashboard-specific session
The dashboard should call the oauth2/sessions/logout URL after the JWT token has been invalidated.

We could do both in this endpoint. The result would be that when a user clicks logout in any application (for example Nextcloud), their Dashboard session would also be ended.

Edited May 12, 2022 by Maarten de Waard

Admin message

Resolve "Re-logging in doesn't require re-authentication after logging out for all apps"

Merge request reports