How to logout Hydra and Kratos at the same time

[EiffelFly]

Hi, Ory community.

First of all, thanks your hard work for providing this open source solution. Our project really benefit a lot from it due to we need to issue lots of identities to users.

Recently, we are approaching logout flow, and I feel confused toward how to logout Hydra and Kratos at the same time.

The flow we are using is OAuth with github as OIDC provider. Once user click logout button, we would like to log out all the session related to not just Hydra but also Kratos. As far as I know the flow will be:

1. Redirect browser to /logout, because we don't have logout_challenge at the point, we move on to next part.
2. Redirect browser to the hydra /oauth2/sessions/logout endpoint with idToken if SSR.
3. If the session is valid, this endpoint will redirect browser to the /logout page which set by hydra configuration with logout_challenge query parameter.
4. Once we have logout_challenge we can use acceptLogoutRequest sdk then redirect browser to the /oauth2/sessions/logout?logout_verifier=?

Now we had successfully wiped out oauth2_authentication_session cookie, here comes my question: How do we wipe out Kratos session from this point.

Thanks again!

[vinckr]

Not knowing much about your use case,
is revoking the option with the Self-Service Logout for API Clients an option?

[vinckr]

Hm AFAICT there are multiple session layers with OAUth2:

• Ory Identities/Kratos keeps track of the user within your application.
• Ory OAuth2 & OpenID Connect maintains a session cookie. When a user signs in, the cookie will be set for that user. This allows the next OAuth2 request to complete without requesting the user to sign in again.

So when the user logs out, you usually only want to log out of the Ory Identities session, but the OAuth2 session should still be there (to complete the next log in without going through the consent stage again).
Might be that I got something wrong 🤔 . Feel free to open a dedicated discussion, if this makes it not clearer.

[sidharthramesh]

@vinckr take a scenario where the user wants to log out of Kratos, and then log back in with another identity.
The OAuth2 flow errors out stating that the subject_id of the previously set cookie does not match the current one initiating the flow.

Even if the identity stays the same, I don't think the user would expect an OAuth2 flow to progress without a login page since they have "signed out".

I'm using Kratos + Hydra together. I am facing issues when launching OAuth2 requests when the logged-in user changes in Kratos, but not in Hydra. Given that there has been a lot of development around Hydra - Kratos integration with the release of Kratos 1.0, what is the best way to simultaneously reset the Hydra login session when the Kratos user logs out?

[atreya2011]

@sidharthramesh
Maybe this will be helpful. During the logout flow, I revoke the hydra logout session, consent session and along with the logout session in kratos.
https://github.com/atreya2011/go-kratos-test/blob/062f7ab9323b1c4ad559f4101a20cdda9cf5f2cd/main.go#L188

@vinckr
I finally found the time to update my example implementation to the latest version of Kratos and Hydra :)

[vinckr]

take a scenario where the user wants to log out of Kratos, and then log back in with another identity.

I agree, if that is part of the use case then you need to take it into account.
Maybe evaluate if you even need OAuth2 for your use case, then this would not be an issue.
Read more about this here: https://www.ory.sh/oauth2-openid-connect-do-you-need-use-cases-examples/ and especially the part about sessions.

[sidharthramesh]

Hey @atreya2011 and @vinckr, Thank you so much for your input.