👋 We are evaluating how to support revocation of a single session in such a way that: 1) a backchannel logout happens 2) all tokens for that session are revoked Is this a common ask and is there a straightforward approach to do it? From what we've seen, it looks like we would need to contribute (1) and maintain our own revocation list (list of sid) for (2).

Hey @polite-finland-39423 Can you help me a bit with understanding the underlying usecase? It does sound a bit like user management (or rather session management) to me, which we have a dedicated service for: Ory Identities aka Ory Kratos See this document for an overview what OAuth2 is useful for and what not: https://www.ory.sh/docs/hydra/concepts/before-oauth2

Thanks, it is exactly around session management where we have multiple applications and their own session implementation. I'll read more on Ory Identities and report back

Hey @polite-finland-39423 Thanks for the details, that helps a lot! I think Kratos would be your ideal solution to build such a “central session/user management” system. It has a ton of features geared just towards what you are looking for! It integrates nicely with Hydra (self-hosted needs some config, Ory Network out of the box) There are probably details I am missing now, but as far as I see it you have two options: • build custom session management with Hydra yourself • use a solution developed by Ory exactly for this, that is maintained and used by hundreds of companies. Of course it could be very easy to develop what you are looking for, but in that case you still have to maintain it indefinitely, not ideal IMO.

We'll look into Kratos in more details to see how it would all work. Kratos might be our longer term approach. I think we would still need a shorter term one. Thanks a lot for your thoughts!