hi 🙂 would it be possible to add "login session id" to refresh_token_hook payload? (https://www.ory.sh/docs/hydra/guides/claims-at-refresh#webhook-configuration) I would like to prevent refreshing the access token when login session id is on my blacklist in source code, seems like it's available under

session.IDTokenClaims().Extra["sid"]

but I'm not sure whether it's ok to pass it like that 😄

@magnificent-energy-493 @fast-lunch-54279 I have the same requirement. Can we add it to this hook?

maybe it would be even better to pass all "previous"

session.IDTokenClaims()

and access token claims then it would be possible to overwrite claims by merging (currently seems like those are completely replaced)

@able-glass-7253 what's your take here?

Hi, is it not an option to revoke the session's tokens when adding it to the blacklist?

@able-glass-7253 As I see there is no API in Hydra to revoke session by sessionId (sid) or token

@able-glass-7253 there is one additional problem here when token is refreshed then

sid

claim from

id_token

is removed and logout stops working (

Logout failed because query parameter id_token_hint is missing sid claim

error) see https://github.com/ory/hydra/issues/3082#issuecomment-1190515519 (and below)

@brainy-wolf-50441 @calm-needle-46078 I'm afraid I can't answer your question because I haven't spent a lot of time working on session termination. I would therefore suggest to create an issue explaining the process that this is part of and why it can't be done with the current API