Invalidate Tokens when log out from Relying Party/ OAuth Client

[pommelinho]

Hey!

Let' s say a RP got id_token and id_token from hydra. Id_token info is used in the session of the RP , so the user is kept login.
When the user now log out, session is invalidated. Is it also necessary to invalidate the access token?
If yes how can i do it with hydra?

[vinckr]

No it is not necessary, Access tokens are not sessions!

Access and refresh tokens allow developers you do not know to do things in your application in the name of your users over a prolonged period of time. CircleCI uses access tokens to watch your repositories for changes, update status checks on pull requests, using access and refresh tokens. These tokens are valid for as long as you don't remove CircleCI from your GitHub account. Logout does not change any of that.

It would be good to know,
what is your use case (what problem are you trying to solve),
why is it not working,
what are you proposing as a solution.

[pommelinho]

Hey thanks for the response.
Just was curious as in our case in the mobile app the id_token,access_token and refresh_token are deleted when logging out.
However I was wondering if it would be a security issue if we do not invalidate the refresh/access tokens

[vinckr]

If the user is logged out, they have to log in again before getting access.

So if they still have valid refresh/access tokens, that does not mean they have a valid session.
They just dont have to go through the consent flow again and give consent when they relog.
If you want them to re-do the consent flow as well, when logging in again, you need to revoke the tokens.

I hope that makes sense, in any case I recommend OAuth 2.0 and OpenID Connect (in plain English), which we also link in our docs.
It is relatively long, but also explains everything very well.