Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi everyone, I’m using Hydra (with Kratos) to get access and ID tokens. In my case during logout I also want to revoke all tokens related to the oauth2 client. What is the correct way to do it? Should I use `/oauth2/sessions/logout` with id token and then `DELETE /admin/oauth2/auth/sessions/consent` with subject (extracted from ID token) and client id?

Kratos already has that feature
though it wasn't released
my suggestion, build Kratos locally and use that image instead

<https://github.com/ory/kratos/blob/6a0a9149b9828ba994bec9b48a43f9d70245f43f/driver/config/config.go#L186|https://github.com/ory/kratos/blob/6a0a9149b9828ba994bec9b48a43f9d70245f43f/driver/config/config.go#L186>

Thank you, but I'm using Ory Network
the problem is that usage of `/oauth2/sessions/logout`  doesn't remove user's consents so access token remains valid. My question was what how to properly revoke it

I may be shooting blind here, but try clearing the cookies at your application layer
maybe that'll work

Yes, that’s right
But I also want to be sure that access or refresh token cannot be reused if they stored somewhere else