Revoke or disable access/refresh token by user/sub

[sagarshah1983]

Hello there,
I am trying to find out if Ory Hydra has a way to revoke/disable the access/refresh token by taking user/sub as an input.

Use case: A user is using multiple devices for an app (representing OAuth client) on which he/she has already logged in and so app continues to use refresh token to get the new access token and bypassing the login workflow (asking user for login credentials).
Now one of the devices is lost and as such user changes password for his/her account. With that we need a way to find (and revoke) all the access/refresh tokens for every oauth client for that user. So that it can force the app/client to go through the login screens (as refresh token flow wont work anymore) requiring user to input credentials on every device.

With that said, if there are any alternatives on how this can be achieved, recommendations would be appreciated.

[vinckr]

Ideally you use something like Ory Kratos for session management which has flows and APIs designed exactly for this use case. This PR would probably a lot with that.

[sagarshah1983]

Thanks @vinckr for your response. Knowing that this PR is still open and we have our own identity provider solution already in place, it might be complex to replace this at this point. So I am trying to find the best practices using which we can still implement this using our own identity management.
Also knowing that hydra only has revoke endpoint that takes the input of refresh or access token itself, I am trying to find out

1. Do we expect to revoke tokens for a user and keep that ownership with identity management solution.
2. If so, does identity management keep track of all refresh and access tokens for every user? OR it can somehow call hydra API to get list of refresh/access tokens for a user and then call revoke for each of them?
3. OR does it follow a different approach altogether?

Looking forward to your recommendations!

[sagarshah1983]

@vinckr
Also please note that my question is not related to session directly itself, but its how do we revoke tokens when user changes his/her password from any of the devices so as to enforce login flow again (not sure if there's a way to handle this without revoking token).
Intention is to ask user to login again with new passwords after the password is changed.

[vinckr]

Hey @sagarshah1983
The Ory Kratos and Ory Hydra integration just landed with Hydra 2.0,
see the release notes for more details!
Check it out 🙏

[sagarshah1983]

Thanks @vinckr for sharing this. Will take a look.

[sagarshah1983]

@vinckr Has there been any update on this? We have been waiting for a way on hydra to remove refresh tokens issued to an app on behalf of any user without requiring the app/client secret. This could be ad admin endpoint or by way of some janitor command too.
Also, Ory Kratos dependency would be a blocker for us, so for now we need a solution without having to implement Ory Kratos.

[haslersn]

Is there a way to do this without Kratos? We are using a different identity provider. It would be nice if Hydra had an API where you can provide a user and a timestamp, such that all tokens (especially refresh tokens) issued for that user before that timestamp are revoked. The identity provider could then synchronize that timestamp with the time of the latest password change.

[medhost-sagar]

I like that idea. We are in similar situation and as of today we cannot switch our identity provider just for this need.
Also, as this feature is currently not supported in hydra, we have had to actually revoke the user consent (which will revoke refresh tokens and remove consent as well), but this results in bad user experience on next login as they have to provide consent again.

I would really wish if we can have an API in hydra (even admin endpoint would suffice) that can revoke all the refresh tokens issued to any apps on behalf of a user (preferably with timestamp as suggested above).

[vinckr]

There is of course a way, but I would recommend Kratos which will save you a lot of complexity and custom bespoke code. OAuth2 was not intended for this, it does not even specify how logout should happen exactly as far as I can remember.
But better would be to use a service that was build for this use case like Ory Kratos with simple instant logout that is not terribly complex.

[haslersn]

What do you mean by "Ory Kratos for session management which has flows and APIs designed exactly for this use case"?

AFAIK refreshing a token happens between the user agent and Hydra. This question is about how to prevent tokens (issued for a specific user) from getting refreshed.

[medhost-sagar]

@vinckr To clarify, we are not looking to tie this with session or login/logout flow with identity provider, but for an API in Hydra that can be used to revoke refresh tokens alone for a user (without having to remove the consent) when user's account has undergone security level change (like password change or account inactivation/temporary lock). Now some of these may have been supported in Kratos, but switching an entire identity provider for this need is not making sense in this case.