Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Admin/Selfservice session management #655

Closed
4 of 6 tasks
zepatrik opened this issue Aug 18, 2020 · 4 comments · Fixed by #2011
Closed
4 of 6 tasks

Admin/Selfservice session management #655

zepatrik opened this issue Aug 18, 2020 · 4 comments · Fixed by #2011
Assignees
@zepatrik
Labels
corp/m8 Up for M8 at Ory Corp. feat New feature or request.
Milestone
v0.9.0-alpha.1

Comments

@zepatrik
Copy link
Member

zepatrik commented Aug 18, 2020
edited
Loading

Is your feature request related to a problem? Please describe.

There are a few things we need for session management. See also #615

Describe the solution you'd like

Selfservice:

  • List all my sessions
  • View one of my sessions
  • Revoke one of my sessions

Admin:

  • List an identity's sessions
  • View an identity's sessions
  • Delete one or all identity's sessions
@zepatrik zepatrik added the feat New feature or request. label Aug 18, 2020
@aeneasr aeneasr added this to the v0.6.0-alpha.1 milestone Aug 18, 2020
@borchero borchero mentioned this issue Mar 19, 2021
Closed
@zepatrik zepatrik mentioned this issue May 17, 2021
Closed
3 tasks
@aeneasr
Copy link
Member

aeneasr commented May 17, 2021

Is your feature request related to a problem? Please describe.

We need a couple of endpoints to allow us to manage an identity's session.

Describe the solution you'd like

  • we need a global sessions API that allows us to list all sessions (with pagination!) GET /sessions at the admin endpoint.
  • we must be able to get a specific session GET /sessions/<id> and also delete/revoke a session DELETE /sessions/<id>
  • We should be able to see an identity's sessions (again at the admin endpoint) GET /identities/<id>/sessions

Additional context

These endpoints are needed to display and manage user sessions in the Ory Console.

@aeneasr aeneasr added corp/m8 Up for M8 at Ory Corp. and removed corp/next labels May 17, 2021
@danthegoodman1
Copy link

Would love to see this soon. Once this is in I think I will feel comfortable switching to Ory!

@danthegoodman1
Copy link

Is your feature request related to a problem? Please describe.

We need a couple of endpoints to allow us to manage an identity's session.

Describe the solution you'd like

  • we need a global sessions API that allows us to list all sessions (with pagination!) GET /sessions at the admin endpoint.
  • we must be able to get a specific session GET /sessions/<id> and also delete/revoke a session DELETE /sessions/<id>
  • We should be able to see an identity's sessions (again at the admin endpoint) GET /identities/<id>/sessions

Additional context

These endpoints are needed to display and manage user sessions in the Ory Console.

It would also be nice if there was an endpoint to handle deleting all sessions for a single identity, rather than having to list them all then delete one by one, to serve as a "log out everywhere". Maybe DELETE /identities/<id>/sessions?

@aeneasr @Benehiko

@zepatrik zepatrik mentioned this issue Sep 9, 2021
Merged
6 tasks
aeneasr pushed a commit that referenced this issue Sep 18, 2021
@harnash
feat: implement endpoint for invalidating all sessions for a given id…
dbd1689 
…entity (#1740)

This PR introduces endpoint to destroy all sessions for a given identity which effectively logouts user from all devices/sessions. This is useful when for some security concern we want to make sure there are no "old" sessions active or other "staff" related actions (such as force logout after password change etc.).

Contributes to #655
@harnash harnash mentioned this issue Sep 18, 2021
Merged
6 tasks
@zepatrik zepatrik assigned zepatrik and unassigned Benehiko Nov 29, 2021
@zepatrik
Copy link
Member Author

Self-service API Design Proposal

With the route we have the "problem" that we can't use /sessions/:id because that conflicts with the existing /sessions/whoami. IMO it makes a lot of sense to distinguish between the current session and all other sessions. Therefore I propose to use /sessions/others/:id as the base path.

  1. List other sessions:
// swagger:parameters publicListOtherSessions
// nolint:deadcode,unused
type publicListOtherSessions struct {
	x.PaginationParams
}

// swagger:model publicListOtherSessionsResponse
// nolint:deadcode,unused
type publicListOtherSessionsResponse struct {
	// List of all other sessions.
	//
	// in: body
	Sessions []*Session `json:"sessions"`
}

// swagger:route GET /sessions/others v0alpha2 publicListOtherSessions
//
// This endpoints returns all other active sessions that belong to the logged-in user.
// The current session can be retrieved by calling the `/sessions/whoami` endpoint.
//
// This endpoint is useful for:
//
// - Displaying all other sessions that belong to the logged-in user
//
//     Schemes: http, https
//
//     Responses:
//       200: publicListOtherSessionsResponse
//       400: jsonError
//       401: jsonError
//       404: jsonError
//       500: jsonError
  1. Revoke other sessions:
// swagger:model publicRevokeMySessionsResponse
type revokeMySessionsResponse struct {
	NumberRevokedSessions int `json:"number_revoked_sessions"`
}

// swagger:route DELETE /sessions/others v0alpha2 publicRevokeOtherSessions
//
// Calling this endpoint invalidates all except the current session that belong to the logged-in user.
// Session data are not deleted.
//
// This endpoint is useful for:
//
// - To forcefully logout the current user from all other devices and sessions
//
//     Schemes: http, https
//
//     Responses:
//       204: publicRevokeMySessionsResponse
//       400: jsonError
//       401: jsonError
//       404: jsonError
//       500: jsonError
  1. Revoke specific other session will be similar to revoking all, except that it has the path /sessions/others/:id and only revokes the specified one (which has to differ from the current session).

Revoking the current session is equal to the logout functionality and therefore not part of this API.

Deletion of sessions is also not part of this API. Instead, old sessions are kept for auditing until they will be eventually cleaned (same problem as expired flows). Self-service only ever works with active sessions.

@zepatrik zepatrik mentioned this issue Nov 30, 2021
Merged
7 tasks
@joekrill joekrill mentioned this issue Dec 30, 2021
Closed
6 tasks
aeneasr added a commit that referenced this issue Jan 4, 2022
@zepatrik @aeneasr
feat: selfservice and administrative session management (#2011)
0fe4155 
Closes #655
Closes #2007

Co-authored-by: hackerman <[email protected]>
@hero101 hero101 mentioned this issue Feb 18, 2022
Closed
5 tasks
@techsmyth techsmyth mentioned this issue Feb 21, 2022
Closed
1 task
peturgeorgievv pushed a commit to senteca/kratos-fork that referenced this issue Jun 30, 2023
@zepatrik @aeneasr
feat: selfservice and administrative session management (ory#2011)
cd89a68 
Closes ory#655
Closes ory#2007

Co-authored-by: hackerman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zepatrik zepatrik

Labels
corp/m8 Up for M8 at Ory Corp. feat New feature or request.
Projects
None yet
Milestone
v0.9.0-alpha.1
Development

Successfully merging a pull request may close this issue.

feat: selfservice/admin session management ory/kratos
4 participants
@aeneasr @zepatrik @danthegoodman1 @Benehiko