after logout webhook

[karitham]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [X] This issue affects my Ory Cloud project.
• [X] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Describe your problem

I use browser flows for the front end (SPA).

I am caching the Ory Session Cookies on my backend because hitting ory cloud each time is too expensive.

To revoke this cache, I need to know when a user logs out.

Describe your ideal solution

An after logout webhook (exactly like login except it's a logout), containing enough data to identify the logged-out session (containing the now-revoked token for example).

Workarounds or alternatives

Hitting my backend to revoke the cache, as well as make a request to ory to delete the session.

Unfortunately, it seems the cookie session tokens are not session tokens as described by the API, thus we cannot revoke them by using API flows.

Another alternative would be to emulate a browser flow, but that becomes ridiculous really fast.

Version

Cloud

Additional Context

Other session providers such as Auth0 explicitly use this method to make their clouds offering usable.

Without proper callbacks, using browser flows is essentially impossible, and using API flows is just more complex.

[aeneasr]

That’s a great idea! Contributions as always welcomed :)

[trautonen]

This would be very useful for example for disabling push notifications for users that have logged out. Any traction for the implementation?

[getlarge]

@trautonen Yes, there is. I am pretty interested in contributing to this one.