https://www.ory.sh/ logo
Join Slack
Powered by
Hello. Any ideas how to do device management aroun...
# talk-hydra
c
Hello. Any ideas how to do device management around hydra? It would be possible to invalidate sessions by session id, but there is no such admin api, as I understand it.
f
right, via the admin API you can only revoke all sessions that an identity has open. if you really need to delete just one, that would actually be a great extension of the Kratos API - a "DELETE /admin/sessions/{id}" endpoint
maybe you want to take a shot at adding it to kratos? we'd be happy to review a PR 🙂
c
Maybe I can implement it? Let's discuss, and I'll create issue. We can respond session-id (same as sid from id token) and add logout admin endpoint with session id parameter, and endpoint to list user active sessions (user-id - session-id).
So, little mess up, we talking about hydra, right?
m
I think would be best handled in Ory Kratos - see this explanation on sessions: https://www.ory.sh/docs/hydra/concepts/before-oauth2#access-and-refresh-tokens-arent-sessions To make sure your not talking about user sessions
f
Oh. I thought about kratos - sorry. So are you after hydra tokens or consent sessions or something else?
c
@magnificent-energy-493 @fast-lunch-54279 Not about consents, consents is ok, I saw that there is an admin API for that We have own identity provider, I'm not sure that Kratos can do that (but we can repeat his behavior) Main thing that we want to collect user active sessions and show it to user and invalidate it upon user request. We have own ecosystem with SSO and we want invalidate whole user session (+ all tokens from all clients) You can treat it the same as a blacklisted session that was initiated by an hacker
m
we want invalidate whole user session (+ all tokens from all clients)
You can revoke all tokens with this endpoint https://www.ory.sh/docs/hydra/reference/api#operation/revokeConsentSessions and invalidate the authentication session (at ory hydra! the user session has to be handled in your identity provider) here https://www.ory.sh/docs/hydra/reference/api#operation/revokeAuthenticationSession the identity management (+ user sessions) would be handled in your identity provider, let me know if something is still unclear 🙂
c
@magnificent-energy-493 This does not solve the device management problem It is need to invalidate only one user session, not all And if the tokens remain alive, then this is useless, because the attacker can continue to use application
m
the attacker can continue to use application
if you are looking for individual user sessions you have to handle that in your application/identity management solution (for example Ory Kratos)
c
@magnificent-energy-493 if I invalidate the attacker's session on application, he will go to the hydra and get a new one through cross-authorization, without even reaching the identity provider.
@magnificent-energy-493 Do you have any implementation patterns for device management? Because I now see that there is no way to do this on top of your OIDC provider (see messages above). Maybe I'm missing something. I can help with PR, I have ideas, but it is important for me that it does not introduce vulnerabilities into your code and fits into your and OIDC concepts.
@magnificent-energy-493 @fast-lunch-54279 Guys, can anyone help me with this issue?
f
When you say "device management", what does that entail for you? Is it only about terminating sessions, or do you have more in mind?
c
@fast-lunch-54279 "about terminating sessions" - yes, terminate session and revoke tokens bounded with that session
7 Views
Open in Slack
PreviousNext
Powered by