-
Notifications
You must be signed in to change notification settings - Fork 968
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Admin/Selfservice session management #655
Comments
Is your feature request related to a problem? Please describe. We need a couple of endpoints to allow us to manage an identity's session. Describe the solution you'd like
Additional context These endpoints are needed to display and manage user sessions in the Ory Console. |
Would love to see this soon. Once this is in I think I will feel comfortable switching to Ory! |
It would also be nice if there was an endpoint to handle deleting all sessions for a single identity, rather than having to list them all then delete one by one, to serve as a "log out everywhere". Maybe |
…entity (#1740) This PR introduces endpoint to destroy all sessions for a given identity which effectively logouts user from all devices/sessions. This is useful when for some security concern we want to make sure there are no "old" sessions active or other "staff" related actions (such as force logout after password change etc.). Contributes to #655
Self-service API Design ProposalWith the route we have the "problem" that we can't use
// swagger:parameters publicListOtherSessions
// nolint:deadcode,unused
type publicListOtherSessions struct {
x.PaginationParams
}
// swagger:model publicListOtherSessionsResponse
// nolint:deadcode,unused
type publicListOtherSessionsResponse struct {
// List of all other sessions.
//
// in: body
Sessions []*Session `json:"sessions"`
}
// swagger:route GET /sessions/others v0alpha2 publicListOtherSessions
//
// This endpoints returns all other active sessions that belong to the logged-in user.
// The current session can be retrieved by calling the `/sessions/whoami` endpoint.
//
// This endpoint is useful for:
//
// - Displaying all other sessions that belong to the logged-in user
//
// Schemes: http, https
//
// Responses:
// 200: publicListOtherSessionsResponse
// 400: jsonError
// 401: jsonError
// 404: jsonError
// 500: jsonError
// swagger:model publicRevokeMySessionsResponse
type revokeMySessionsResponse struct {
NumberRevokedSessions int `json:"number_revoked_sessions"`
}
// swagger:route DELETE /sessions/others v0alpha2 publicRevokeOtherSessions
//
// Calling this endpoint invalidates all except the current session that belong to the logged-in user.
// Session data are not deleted.
//
// This endpoint is useful for:
//
// - To forcefully logout the current user from all other devices and sessions
//
// Schemes: http, https
//
// Responses:
// 204: publicRevokeMySessionsResponse
// 400: jsonError
// 401: jsonError
// 404: jsonError
// 500: jsonError
Revoking the current session is equal to the logout functionality and therefore not part of this API. Deletion of sessions is also not part of this API. Instead, old sessions are kept for auditing until they will be eventually cleaned (same problem as expired flows). Self-service only ever works with active sessions. |
Is your feature request related to a problem? Please describe.
There are a few things we need for session management. See also #615
Describe the solution you'd like
Selfservice:
Admin:
The text was updated successfully, but these errors were encountered: