Delete a specific user's session

[tomnocon]

I'm trying to implement the Back-Channel Logout from the OpenId Connect specification. There is a case when the OpenID Provider (OP) want to delete session in the Relying Party (RP) for a specific user. Is it possible to delete a specific user's session?

To accomplish the above requirement, a method is needed for deleting a specific session. I've found a workaround solution but I think that it is not a good idea.

 const cache = server._core.caches.get('_default');
 cache.client.drop({id: sessionId, segment: '!yar'})

I would be good to do it directly in the yar object.

[hueniverse]

I'll take a PR. I assume in your use case, you don't have an active request for the user, only a server reference and the session id? If that's the case, this should be a server-level decoration and look like server.yar.revoke(id).

[tomnocon]

Yes, that's exactly what I mean. I'll create a PR.

[tomnocon]

Hello, @hueniverse. Can you create a branch from the v8.1.2 tag? I've also implemented this feature for the previous version, so I'll be able to create a pull request. Thanks!

[dchrzascik]

Hi @hueniverse, would it be possible to do as @tomnocon suggests? Our ticket depends on resultion of this issue and we would love to see it merged and closed. Thanks!

[lock[bot]]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.