Propagate hydra logout to kratos

[natalian98]

As pointed out by @nsklikas, Hydra might be able to propagate logout to Kratos when urls.identity_provider.url config is defined and identity_provider_session_id parameter is passed when accepting a login request (which we already do in Login UI), however we did not implement oidc logout in hydra but instead we just deactivate the session and clear cookies. For that reason we need to deactivate the kratos session on our own.

i'm interested on this point here, is there scope to reuse hydra functionality? cc @nsklikas

Yes, but not only that:

• The admin UI would be making 1 HTTP call (hydra would be making 1 call to kratos to logout) rather than 3
• It would allow other applications to logout from kratos as well, as we wouldn't be using the internal hydra/kratos APIs
• Our implementation wouldn't rely in the kratos cookie being available (imo we should limit the kratos/hydra cookie only to specific paths, so that they are not accessible by all apps on our domain)

The downside with that approach is that it would require some changes to the login UI as well (implement a couple more endpoints) and maybe some more careful design.

Originally posted by @shipperizer in #573 (comment)

[syncronize-issues-to-jira]

Thank you for reporting your feedback to us!

The internal ticket has been created: https://warthogs.atlassian.net/browse/IAM-1575.

This message was autogenerated

[github-actions]

This issue has been marked as stale due to the lack of updates in the last 60 days

[github-actions]

This issue has been closed due to the lack of updates