feat: propagate logout to identity provider

This commit improves the integration between Hydra and Kratos when logging
out the user.

This adds a new configuration key for configuring a Kratos admin URL.
Additionally, Kratos can send a session ID when accepting a login request.
If a session ID was specified and a Kratos admin URL was configured,
Hydra will disable the corresponding Kratos session through the admin API
if a frontchannel or backchannel logout was triggered.

consent/manager.go

@@ -41,7 +41,7 @@ type (
 		// Cookie management
 		GetRememberedLoginSession(ctx context.Context, loginSessionFromCookie *flow.LoginSession, id string) (*flow.LoginSession, error)
 		CreateLoginSession(ctx context.Context, session *flow.LoginSession) error
-		DeleteLoginSession(ctx context.Context, id string) error
+		DeleteLoginSession(ctx context.Context, id string) (deletedSession *flow.LoginSession, err error)
 		RevokeSubjectLoginSession(ctx context.Context, user string) error
 		ConfirmLoginSession(ctx context.Context, session *flow.LoginSession, id string, authTime time.Time, subject string, remember bool) error
 

consent/manager_test_helpers.go

@@ -324,8 +324,12 @@ func TestHelperNID(r interface {
 		require.NoError(t, err)
 		require.Error(t, t2InvalidNID.ConfirmLoginSession(ctx, &testLS, testLS.ID, time.Now(), testLS.Subject, true))
 		require.NoError(t, t1ValidNID.ConfirmLoginSession(ctx, &testLS, testLS.ID, time.Now(), testLS.Subject, true))
-		require.Error(t, t2InvalidNID.DeleteLoginSession(ctx, testLS.ID))
-		require.NoError(t, t1ValidNID.DeleteLoginSession(ctx, testLS.ID))
+		ls, err := t2InvalidNID.DeleteLoginSession(ctx, testLS.ID)
+		require.Error(t, err)
+		assert.Nil(t, ls)
+		ls, err = t1ValidNID.DeleteLoginSession(ctx, testLS.ID)
+		require.NoError(t, err)
+		assert.Equal(t, testLS.ID, ls.ID)
 	}
 }
 
@@ -429,8 +433,9 @@ func ManagerTests(deps Deps, m Manager, clientManager client.Manager, fositeMana
 				},
 			} {
 				t.Run("case=delete-get-"+tc.id, func(t *testing.T) {
-					err := m.DeleteLoginSession(ctx, tc.id)
+					ls, err := m.DeleteLoginSession(ctx, tc.id)
 					require.NoError(t, err)
+					assert.EqualValues(t, tc.id, ls.ID)
 
 					_, err = m.GetRememberedLoginSession(ctx, nil, tc.id)
 					require.Error(t, err)
@@ -1083,7 +1088,8 @@ func ManagerTests(deps Deps, m Manager, clientManager client.Manager, fositeMana
 			require.NoError(t, err)
 			assert.EqualValues(t, expected.ID, result.ID)
 
-			require.NoError(t, m.DeleteLoginSession(ctx, s.ID))
+			_, err = m.DeleteLoginSession(ctx, s.ID)
+			require.NoError(t, err)
 
 			result, err = m.GetConsentRequest(ctx, expected.ID)
 			require.NoError(t, err)

consent/registry.go

@@ -9,6 +9,7 @@ import (
 	"github.com/ory/fosite/handler/openid"
 	"github.com/ory/hydra/v2/aead"
 	"github.com/ory/hydra/v2/client"
+	"github.com/ory/hydra/v2/internal/kratos"
 	"github.com/ory/hydra/v2/x"
 )
 
@@ -17,6 +18,7 @@ type InternalRegistry interface {
 	x.RegistryCookieStore
 	x.RegistryLogger
 	x.HTTPClientProvider
+	kratos.Provider
 	Registry
 	client.Registry
 

consent/strategy_default.go

@@ -312,7 +312,9 @@ func (s *DefaultStrategy) revokeAuthenticationSession(ctx context.Context, w htt
 		return nil
 	}
 
-	return s.r.ConsentManager().DeleteLoginSession(r.Context(), sid)
+	_, err = s.r.ConsentManager().DeleteLoginSession(r.Context(), sid)
+
+	return err
 }
 
 func (s *DefaultStrategy) revokeAuthenticationCookie(w http.ResponseWriter, r *http.Request, ss sessions.Store) (string, error) {
@@ -457,6 +459,7 @@ func (s *DefaultStrategy) verifyAuthentication(
 			return nil, fosite.ErrAccessDenied.WithHint("The login session cookie was not found or malformed.")
 		}
 
+		loginSession.KratosSessionID = f.KratosSessionID
 		if err := s.r.ConsentManager().ConfirmLoginSession(ctx, loginSession, sessionID, time.Time(session.AuthenticatedAt), session.Subject, session.Remember); err != nil {
 			return nil, err
 		}
@@ -730,7 +733,8 @@ func (s *DefaultStrategy) generateFrontChannelLogoutURLs(ctx context.Context, su
 	return urls, nil
 }
 
-func (s *DefaultStrategy) executeBackChannelLogout(ctx context.Context, r *http.Request, subject, sid string) error {
+func (s *DefaultStrategy) executeBackChannelLogout(r *http.Request, subject, sid string) error {
+	ctx := r.Context()
 	clients, err := s.r.ConsentManager().ListUserAuthenticatedClientsWithBackChannelLogout(ctx, subject, sid)
 	if err != nil {
 		return err
@@ -990,8 +994,9 @@ func (s *DefaultStrategy) issueLogoutVerifier(ctx context.Context, w http.Respon
 	return nil, errorsx.WithStack(ErrAbortOAuth2Request)
 }
 
-func (s *DefaultStrategy) performBackChannelLogoutAndDeleteSession(_ context.Context, r *http.Request, subject string, sid string) error {
-	if err := s.executeBackChannelLogout(r.Context(), r, subject, sid); err != nil {
+func (s *DefaultStrategy) performBackChannelLogoutAndDeleteSession(r *http.Request, subject string, sid string) error {
+	ctx := r.Context()
+	if err := s.executeBackChannelLogout(r, subject, sid); err != nil {
 		return err
 	}
 
@@ -1000,10 +1005,12 @@ func (s *DefaultStrategy) performBackChannelLogoutAndDeleteSession(_ context.Con
 	//
 	// executeBackChannelLogout only fails on system errors so not on URL errors, so this should be fine
 	// even if an upstream URL fails!
-	if err := s.r.ConsentManager().DeleteLoginSession(r.Context(), sid); errors.Is(err, sqlcon.ErrNoRows) {
+	if session, err := s.r.ConsentManager().DeleteLoginSession(ctx, sid); errors.Is(err, sqlcon.ErrNoRows) {
 		// This is ok (session probably already revoked), do nothing!
 	} else if err != nil {
 		return err
+	} else {
+		_ = s.r.Kratos().DisableSession(ctx, session.KratosSessionID.String())
 	}
 
 	return nil
@@ -1058,7 +1065,7 @@ func (s *DefaultStrategy) completeLogout(ctx context.Context, w http.ResponseWri
 		return nil, err
 	}
 
-	if err := s.performBackChannelLogoutAndDeleteSession(r.Context(), r, lr.Subject, lr.SessionID); err != nil {
+	if err := s.performBackChannelLogoutAndDeleteSession(r, lr.Subject, lr.SessionID); err != nil {
 		return nil, err
 	}
 
@@ -1095,7 +1102,7 @@ func (s *DefaultStrategy) HandleHeadlessLogout(ctx context.Context, _ http.Respo
 		return lsErr
 	}
 
-	if err := s.performBackChannelLogoutAndDeleteSession(r.Context(), r, loginSession.Subject, sid); err != nil {
+	if err := s.performBackChannelLogoutAndDeleteSession(r, loginSession.Subject, sid); err != nil {
 		return err
 	}
 

consent/strategy_default_test.go

@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"net/http/cookiejar"
 	"net/http/httptest"
+	"net/url"
 	"testing"
 
 	hydra "github.com/ory/hydra-client-go/v2"
@@ -17,8 +18,6 @@ import (
 	"github.com/ory/fosite/token/jwt"
 	"github.com/ory/x/urlx"
 
-	"net/url"
-
 	"github.com/google/uuid"
 	"github.com/tidwall/gjson"
 

consent/strategy_logout_test.go

@@ -16,6 +16,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/ory/hydra/v2/internal/kratos"
 	"github.com/ory/x/pointerx"
 
 	"github.com/stretchr/testify/assert"
@@ -35,9 +36,11 @@ import (
 
 func TestLogoutFlows(t *testing.T) {
 	ctx := context.Background()
+	fakeKratos := kratos.NewFake()
 	reg := internal.NewMockedRegistry(t, &contextx.Default{})
 	reg.Config().MustSet(ctx, config.KeyAccessTokenStrategy, "opaque")
 	reg.Config().MustSet(ctx, config.KeyConsentRequestMaxAge, time.Hour)
+	reg.WithKratos(fakeKratos)
 
 	defaultRedirectedMessage := "redirected to default server"
 	postLogoutCallback := func(w http.ResponseWriter, r *http.Request) {
@@ -181,7 +184,7 @@ func TestLogoutFlows(t *testing.T) {
 			checkAndAcceptLoginHandler(t, adminApi, subject, func(t *testing.T, res *hydra.OAuth2LoginRequest, err error) hydra.AcceptOAuth2LoginRequest {
 				require.NoError(t, err)
 				//res.Payload.SessionID
-				return hydra.AcceptOAuth2LoginRequest{Remember: pointerx.Bool(true)}
+				return hydra.AcceptOAuth2LoginRequest{Remember: pointerx.Bool(true), SessionId: pointerx.Ptr(kratos.FakeSessionID)}
 			}),
 			checkAndAcceptConsentHandler(t, adminApi, func(t *testing.T, res *hydra.OAuth2ConsentRequest, err error) hydra.AcceptOAuth2ConsentRequest {
 				require.NoError(t, err)
@@ -476,6 +479,7 @@ func TestLogoutFlows(t *testing.T) {
 	})
 
 	t.Run("case=should return to default post logout because session was revoked in browser context", func(t *testing.T) {
+		fakeKratos.Reset()
 		c := createSampleClient(t)
 		sid := make(chan string)
 		acceptLoginAsAndWatchSid(t, subject, sid)
@@ -518,9 +522,13 @@ func TestLogoutFlows(t *testing.T) {
 		assert.NotEmpty(t, res.Request.URL.Query().Get("code"))
 
 		wg.Wait()
+
+		assert.True(t, fakeKratos.DisableSessionWasCalled)
+		assert.Equal(t, fakeKratos.LastDisabledSession, kratos.FakeSessionID)
 	})
 
 	t.Run("case=should execute backchannel logout in headless flow with sid", func(t *testing.T) {
+		fakeKratos.Reset()
 		numSidConsumers := 2
 		sid := make(chan string, numSidConsumers)
 		acceptLoginAsAndWatchSidForConsumers(t, subject, sid, true, numSidConsumers)
@@ -535,22 +543,31 @@ func TestLogoutFlows(t *testing.T) {
 		logoutViaHeadlessAndExpectNoContent(t, createBrowserWithSession(t, c), url.Values{"sid": {<-sid}})
 
 		backChannelWG.Wait() // we want to ensure that all back channels have been called!
+		assert.True(t, fakeKratos.DisableSessionWasCalled)
+		assert.Equal(t, fakeKratos.LastDisabledSession, kratos.FakeSessionID)
 	})
 
 	t.Run("case=should logout in headless flow with non-existing sid", func(t *testing.T) {
+		fakeKratos.Reset()
 		logoutViaHeadlessAndExpectNoContent(t, browserWithoutSession, url.Values{"sid": {"non-existing-sid"}})
+		assert.False(t, fakeKratos.DisableSessionWasCalled)
 	})
 
 	t.Run("case=should logout in headless flow with session that has remember=false", func(t *testing.T) {
+		fakeKratos.Reset()
 		sid := make(chan string)
 		acceptLoginAsAndWatchSidForConsumers(t, subject, sid, false, 1)
 
 		c := createSampleClient(t)
 
 		logoutViaHeadlessAndExpectNoContent(t, createBrowserWithSession(t, c), url.Values{"sid": {<-sid}})
+		assert.True(t, fakeKratos.DisableSessionWasCalled)
+		assert.Equal(t, fakeKratos.LastDisabledSession, kratos.FakeSessionID)
 	})
 
 	t.Run("case=should fail headless logout because neither sid nor subject were provided", func(t *testing.T) {
+		fakeKratos.Reset()
 		logoutViaHeadlessAndExpectError(t, browserWithoutSession, url.Values{}, `Either 'subject' or 'sid' query parameters need to be defined.`)
+		assert.False(t, fakeKratos.DisableSessionWasCalled)
 	})
 }

driver/config/provider.go

@@ -80,6 +80,7 @@ const (
 	KeyPublicURL                                 = "urls.self.public"
 	KeyAdminURL                                  = "urls.self.admin"
 	KeyIssuerURL                                 = "urls.self.issuer"
+	KeyKratosAdminURL                            = "urls.kratos.admin"
 	KeyAccessTokenStrategy                       = "strategies.access_token"
 	KeyJWTScopeClaimStrategy                     = "strategies.jwt.scope_claim"
 	KeyDBIgnoreUnknownTableColumns               = "db.ignore_unknown_table_columns"
@@ -388,6 +389,12 @@ func (p *DefaultProvider) IssuerURL(ctx context.Context) *url.URL {
 	)
 }
 
+func (p *DefaultProvider) KratosAdminURL(ctx context.Context) (*url.URL, bool) {
+	u := p.getProvider(ctx).RequestURIF(KeyKratosAdminURL, nil)
+
+	return u, u != nil
+}
+
 func (p *DefaultProvider) OAuth2ClientRegistrationURL(ctx context.Context) *url.URL {
 	return p.getProvider(ctx).RequestURIF(KeyOAuth2ClientRegistrationURL, new(url.URL))
 }

driver/registry.go

@@ -10,6 +10,7 @@ import (
 
 	"go.opentelemetry.io/otel/trace"
 
+	"github.com/ory/hydra/v2/internal/kratos"
 	"github.com/ory/x/httprouterx"
 
 	"github.com/ory/hydra/v2/aead"
@@ -53,6 +54,7 @@ type Registry interface {
 	WithLogger(l *logrusx.Logger) Registry
 	WithTracer(t trace.Tracer) Registry
 	WithTracerWrapper(TracerWrapper) Registry
+	WithKratos(k kratos.Client) Registry
 	x.HTTPClientProvider
 	GetJWKSFetcherStrategy() fosite.JWKSFetcherStrategy
 
@@ -71,6 +73,8 @@ type Registry interface {
 	x.TracingProvider
 	FlowCipher() *aead.XChaCha20Poly1305
 
+	kratos.Provider
+
 	RegisterRoutes(ctx context.Context, admin *httprouterx.RouterAdmin, public *httprouterx.RouterPublic)
 	ClientHandler() *client.Handler
 	KeyHandler() *jwk.Handler

driver/registry_base.go

@@ -28,6 +28,7 @@ import (
 	"github.com/ory/hydra/v2/driver/config"
 	"github.com/ory/hydra/v2/fositex"
 	"github.com/ory/hydra/v2/hsm"
+	"github.com/ory/hydra/v2/internal/kratos"
 	"github.com/ory/hydra/v2/jwk"
 	"github.com/ory/hydra/v2/oauth2"
 	"github.com/ory/hydra/v2/oauth2/trust"
@@ -88,6 +89,7 @@ type RegistryBase struct {
 	hmacs           *foauth2.HMACSHAStrategy
 	fc              *fositex.Config
 	publicCORS      *cors.Cors
+	kratos          kratos.Client
 }
 
 func (m *RegistryBase) GetJWKSFetcherStrategy() fosite.JWKSFetcherStrategy {
@@ -201,6 +203,11 @@ func (m *RegistryBase) WithTracerWrapper(wrapper TracerWrapper) Registry {
 	return m.r
 }
 
+func (m *RegistryBase) WithKratos(k kratos.Client) Registry {
+	m.kratos = k
+	return m.r
+}
+
 func (m *RegistryBase) Logger() *logrusx.Logger {
 	if m.l == nil {
 		m.l = logrusx.New("Ory Hydra", m.BuildVersion())
@@ -552,3 +559,10 @@ func (m *RegistryBase) HSMContext() hsm.Context {
 func (m *RegistrySQL) ClientAuthenticator() x.ClientAuthenticator {
 	return m.OAuth2Provider().(*fosite.Fosite)
 }
+
+func (m *RegistryBase) Kratos() kratos.Client {
+	if m.kratos == nil {
+		m.kratos = kratos.New(m)
+	}
+	return m.kratos
+}

flow/consent_types.go

@@ -42,11 +42,12 @@ type OAuth2RedirectTo struct {
 
 // swagger:ignore
 type LoginSession struct {
-	ID              string         `db:"id"`
-	NID             uuid.UUID      `db:"nid"`
-	AuthenticatedAt sqlxx.NullTime `db:"authenticated_at"`
-	Subject         string         `db:"subject"`
-	Remember        bool           `db:"remember"`
+	ID              string           `db:"id"`
+	NID             uuid.UUID        `db:"nid"`
+	AuthenticatedAt sqlxx.NullTime   `db:"authenticated_at"`
+	Subject         string           `db:"subject"`
+	KratosSessionID sqlxx.NullString `db:"kratos_session_id"`
+	Remember        bool             `db:"remember"`
 }
 
 func (LoginSession) TableName() string {
@@ -292,6 +293,12 @@ type HandledLoginRequest struct {
 	// required: true
 	Subject string `json:"subject"`
 
+	// KratosSessionID is the session ID of the end-user that authenticated.
+	// If specified, we will use this value to propagate the logout.
+	//
+	// required: false
+	KratosSessionID string `json:"session_id"`
+
 	// ForceSubjectIdentifier forces the "pairwise" user ID of the end-user that authenticated. The "pairwise" user ID refers to the
 	// (Pairwise Identifier Algorithm)[http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg] of the OpenID
 	// Connect specification. It allows you to set an obfuscated subject ("user") identifier that is unique to the client.

flow/flow.go

@@ -136,6 +136,8 @@ type Flow struct {
 	// channel logout. Its value can generally be used to associate consecutive login requests by a certain user.
 	SessionID sqlxx.NullString `db:"login_session_id"`
 
+	KratosSessionID sqlxx.NullString `db:"kratos_session_id"`
+
 	LoginVerifier string `db:"login_verifier"`
 	LoginCSRF     string `db:"login_csrf"`
 
@@ -291,6 +293,7 @@ func (f *Flow) HandleLoginRequest(h *HandledLoginRequest) error {
 	f.ForceSubjectIdentifier = h.ForceSubjectIdentifier
 	f.LoginError = h.Error
 
+	f.KratosSessionID = sqlxx.NullString(h.KratosSessionID)
 	f.LoginRemember = h.Remember
 	f.LoginRememberFor = h.RememberFor
 	f.LoginExtendSessionLifespan = h.ExtendSessionLifespan
@@ -311,6 +314,7 @@ func (f *Flow) GetHandledLoginRequest() HandledLoginRequest {
 		ACR:                    f.ACR,
 		AMR:                    f.AMR,
 		Subject:                f.Subject,
+		KratosSessionID:        f.KratosSessionID.String(),
 		ForceSubjectIdentifier: f.ForceSubjectIdentifier,
 		Context:                f.Context,
 		WasHandled:             f.LoginWasUsed,

flow/flow_test.go

@@ -42,6 +42,7 @@ func (f *Flow) setHandledLoginRequest(r *HandledLoginRequest) {
 	f.ACR = r.ACR
 	f.AMR = r.AMR
 	f.Subject = r.Subject
+	f.KratosSessionID = sqlxx.NullString(r.KratosSessionID)
 	f.ForceSubjectIdentifier = r.ForceSubjectIdentifier
 	f.Context = r.Context
 	f.LoginWasUsed = r.WasHandled

go.mod

@@ -44,6 +44,7 @@ require (
 	github.com/ory/herodot v0.10.3-0.20230626083119-d7e5192f0d88
 	github.com/ory/hydra-client-go/v2 v2.1.1
 	github.com/ory/jsonschema/v3 v3.0.8
+	github.com/ory/kratos-client-go v0.13.1
 	github.com/ory/x v0.0.575
 	github.com/pborman/uuid v1.2.1
 	github.com/pkg/errors v0.9.1

go.sum

@@ -646,6 +646,8 @@ github.com/ory/herodot v0.10.3-0.20230626083119-d7e5192f0d88 h1:J0CIFKdpUeqKbVMw
 github.com/ory/herodot v0.10.3-0.20230626083119-d7e5192f0d88/go.mod h1:MMNmY6MG1uB6fnXYFaHoqdV23DTWctlPsmRCeq/2+wc=
 github.com/ory/jsonschema/v3 v3.0.8 h1:Ssdb3eJ4lDZ/+XnGkvQS/te0p+EkolqwTsDOCxr/FmU=
 github.com/ory/jsonschema/v3 v3.0.8/go.mod h1:ZPzqjDkwd3QTnb2Z6PAS+OTvBE2x5i6m25wCGx54W/0=
+github.com/ory/kratos-client-go v0.13.1 h1:o+pFV9ZRMFSBa4QeNJYbJeLz036UWU4p+7yfKghK+0E=
+github.com/ory/kratos-client-go v0.13.1/go.mod h1:hkrFJuHSBQw+qN6Ks0faOAYhAKwtpjvhCZzsQ7g/Ufc=
 github.com/ory/x v0.0.575 h1:LvOeR+YlJ6/JtvIJvSwMoDBY/i3GACUe7HpWXHGNUTA=
 github.com/ory/x v0.0.575/go.mod h1:aeJFTlvDLGYSABzPS3z5SeLcYC52Ek7uGZiuYGcTMSU=
 github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=