Merge branch 'master' into SAAS-960

onewelcome · Dec 20, 2023 · d337aec · d337aec
2 parents fcc0159 + cf72c52
commit d337aec
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 0 deletions.
diff --git a/docs/products/access/api-reference/end-user/session.md b/docs/products/access/api-reference/end-user/session.md
@@ -5,6 +5,10 @@ only accessible with valid API client credentials. These endpoints can be utiliz
 specific user. For instance, the web application might want to display a list of active sessions to the user, including details such
 as session ID, authentication time, last issued access time, user agent, and location information.
 
+In addition to listing sessions, this API also allows for terminating user sessions.
+These termination endpoints provide a layer of security and control over user sessions. It ensures old and inactive sessions can be properly
+ended as needed, maintaining the integrity of the user's active sessions.
+
 ## List User Sessions
 
 Endpoint: `GET /oauth/api/v1/users/{userId}/sessions`
@@ -62,3 +66,51 @@ Pragma: no-cache
   "error": "No sessions found"
 }
 ```
+
+## End User Sessions
+
+### End All Sessions
+
+Endpoint: `DELETE /oauth/api/v1/users/{userId}/sessions`
+
+| Parameter | Description              |
+|-----------|--------------------------|
+| `userId`  | User's unique identifier |
+
+This secure endpoint requires authentication using API credentials. It has been designed to delete every active session of a specified user.
+Default behavior is to remove the associated tokens as well.
+
+Upon successful deletion, a `204 No Content` status is sent back. If the user doesn't exist or has no active sessions, it will also result
+in `204 No Content` being returned.
+
+**Query Parameters:**
+
+| Parameter      | Description                                                | Default |
+|----------------|------------------------------------------------------------|---------|
+| `removeTokens` | If true, additionally scraps all of the associated tokens. | `true`  |
+
+---
+
+### End a Specific Session
+
+Endpoint: `DELETE /oauth/api/v1/users/{userId}/sessions/{sessionId}`
+
+| Parameter   | Description                 |
+|-------------|-----------------------------|
+| `userId`    | User's unique identifier    |
+| `sessionId` | Session's unique identifier |
+
+This endpoint, protected by authentication via client credentials, removes an individual session of the user in question. By default, the
+associated tokens are removed too.
+
+Upon successful deletion, you'll receive a `204 No Content` status. If the user or the session is nonexistent, a status `204 No Content` is
+sent back as well.
+
+**Query Parameters:**
+
+| Parameter      | Description                                                        | Default |
+|----------------|--------------------------------------------------------------------|---------|
+| `removeTokens` | If true, cleans out all of the tokens associated with the session. | `true`  |
+
+Both of these endpoints are invaluable security tools that help you administer user sessions and ensure that older, unused sessions are
+appropriately terminated thereby enhancing your control over the process of user authentication.
diff --git a/docs/products/access/appendix/access-events.md b/docs/products/access/appendix/access-events.md
@@ -223,6 +223,8 @@
 | IDP UJO INVALID OR INCOMPLETE USER INFORMATION                | The returned user id and/or id store type are missing or invalid.                                                                                                                                                    |
 | IDP UJO FAILED TO FETCH JOURNEY RESULT                        | An unexpected error occurred while resolving the journey result.                                                                                                                                                     |
 | IDP UJO FAILED TO USER INFO                                   | An unexpected error occurred while resolving UserInfo.                                                                                                                                                               |
+| SESSION_TERMINATION_ALL_USER_SESSIONS_TERMINATED              | All user sessions were ended.                                                                                                                                                                                        |
+| SESSION_TERMINATION_USER_SESSION_TERMINATED                   | Particular user session was ended.                                                                                                                                                                                   |
 
 ## Dynamic clients
 

diff --git a/docs/products/access/release-notes/index.md b/docs/products/access/release-notes/index.md
@@ -8,6 +8,14 @@ The releases are backward compatible. However, we will extend the API contract (
 
 In the release notes, we mention new features and bug fixes. If anything is unclear, feel free to contact [OneWelcome Support](https://support.onewelcome.com).
 
+## Release date 2023-12-19
+
+### Features
+* Added two new methods to the [User Sessions API](../api-reference/end-user/session.md) that make it possible to end all sessions for a given user or to end a specific session for a user.
+
+### Improvements
+* We improved our caching for the [Discovery](../api-reference/oidc/discovery.md) and JWKS endpoints so these endpoints can handle more load. 
+
 ## Release date 2023-12-11
 
 ### Features