Allow logging out and deleting a single session cookie

[mderazon]

In version 1.0.0, Hydra started handling the user's session. You can ask Hydra to remember the session so next time the user logs in they will not be shown the login screen.

Currently, the only way to log the user out is by calling

DELETE https://hydra/oauth2/auth/sessions/login/{user}

This, however, deletes the cookie and logs the user out of all devices.

Following a discussion in the forum, the plan is to add an endpoint

GET http://hydra/oauth2/login/signout

That will basically delete the saved login cookie and redirect the user to a whitelisted url.

@arekkas How should the redirect work ?
Should the user define the redirect by adding a redirect= query param to the signout url and if the domain matches the whitelisted one then redirection is allowed ?
What should be the behaviour in case the redirect does not match the whitelisted one ? (need a fallback url ? or do we just return a 400 response ?)

[aeneasr]

I think there should be an environment variable LOGOUT_REDIRECT_URL to which the browser is redirected upon successful logout. There should not be an option to set the redirect URL from the browser. If wee need it, we can add that later.

The method for logging out is already implemented. All we need to do is expose this method via a URL. The HTTP handler should probably be in this file.

I think the URL should be something like /oauth2/auth/logout. Be aware that the router being used there is the one for port 4445. You will have to get the second router (frontend router on port 4444) for this to work.