From 1811d4b1704aeab18864ea4d9db9510974b49283 Mon Sep 17 00:00:00 2001
From: Hubert Krasnodebski <hubert.krasnodebski@external.thalesgroup.com>
Date: Thu, 7 Dec 2023 14:33:39 +0100
Subject: [PATCH 1/3] SAAS-1091: Add new API to end sessions

---
 .../access/api-reference/end-user/session.md  | 46 +++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/docs/products/access/api-reference/end-user/session.md b/docs/products/access/api-reference/end-user/session.md
index f7595c38..d868f060 100644
--- a/docs/products/access/api-reference/end-user/session.md
+++ b/docs/products/access/api-reference/end-user/session.md
@@ -5,6 +5,9 @@ only accessible with valid API client credentials. These endpoints can be utiliz
 specific user. For instance, the web application might want to display a list of active sessions to the user, including details such
 as session ID, authentication time, last issued access time, user agent, and location information.
 
+In addition to listing sessions, this API also allows for terminating user sessions. 
+These termination endpoints provide a layer of security and control over user sessions. It ensures old and inactive sessions can be properly ended as needed, maintaining the integrity of the user's active sessions.
+
 ## List User Sessions
 
 Endpoint: `GET /oauth/api/v1/users/{userId}/sessions`
@@ -62,3 +65,46 @@ Pragma: no-cache
   "error": "No sessions found"
 }
 ```
+
+## End User Sessions
+
+### End All Sessions
+
+Endpoint: `DELETE /oauth/api/v1/users/{userId}/sessions`
+
+| Parameter | Description |
+| --- | --- |
+| `userId` | User's unique identifier |
+
+This secure endpoint requires authentication using API credentials. It has been designed to delete every active session of a specified user. Default behavior is to remove the associated tokens as well.
+
+Upon successful deletion, a `204 No Content` status is sent back. If the user doesn't exist or has no active sessions, it will also result in `204 No Content` being returned. 
+
+**Query Parameters:**
+
+| Parameter | Description | Default |
+| --- | --- | --- |
+| `removeTokens` | If true, additionally scraps all of the associated tokens. | `true` |
+
+---
+
+### End a Specific Session
+
+Endpoint: `DELETE /oauth/api/v1/users/{userId}/sessions/{sessionId}`
+
+| Parameter | Description |
+| --- | --- |
+| `userId` | User's unique identifier |
+| `sessionId` | Session's unique identifier |
+
+This endpoint, protected by authentication via client credentials, removes an individual session of the user in question. By default, the associated tokens are removed too.
+
+Upon successful deletion, you'll receive a `204 No Content` status. If the user or the session is nonexistent, a status `204 No Content` is sent back as well.
+
+**Query Parameters:**
+
+| Parameter | Description | Default |
+| --- | --- | --- |
+| `removeTokens` | If true, cleans out all of the tokens associated with the session. | `true` |
+
+Both of these endpoints are invaluable security tools that help you administer user sessions and ensure that older, unused sessions are appropriately terminated thereby enhancing your control over the process of user authentication.

From 9a2d35ac60ed9042b61a995afd5630c49252c02f Mon Sep 17 00:00:00 2001
From: Hubert Krasnodebski <hubert.krasnodebski@external.thalesgroup.com>
Date: Wed, 13 Dec 2023 10:20:32 +0100
Subject: [PATCH 2/3] SAAS-1091: add description of events

---
 .../access/api-reference/end-user/session.md  | 44 +++++++++++--------
 .../products/access/appendix/access-events.md |  2 +
 2 files changed, 27 insertions(+), 19 deletions(-)

diff --git a/docs/products/access/api-reference/end-user/session.md b/docs/products/access/api-reference/end-user/session.md
index d868f060..b49ffcd5 100644
--- a/docs/products/access/api-reference/end-user/session.md
+++ b/docs/products/access/api-reference/end-user/session.md
@@ -5,8 +5,9 @@ only accessible with valid API client credentials. These endpoints can be utiliz
 specific user. For instance, the web application might want to display a list of active sessions to the user, including details such
 as session ID, authentication time, last issued access time, user agent, and location information.
 
-In addition to listing sessions, this API also allows for terminating user sessions. 
-These termination endpoints provide a layer of security and control over user sessions. It ensures old and inactive sessions can be properly ended as needed, maintaining the integrity of the user's active sessions.
+In addition to listing sessions, this API also allows for terminating user sessions.
+These termination endpoints provide a layer of security and control over user sessions. It ensures old and inactive sessions can be properly
+ended as needed, maintaining the integrity of the user's active sessions.
 
 ## List User Sessions
 
@@ -72,19 +73,21 @@ Pragma: no-cache
 
 Endpoint: `DELETE /oauth/api/v1/users/{userId}/sessions`
 
-| Parameter | Description |
-| --- | --- |
-| `userId` | User's unique identifier |
+| Parameter | Description              |
+|-----------|--------------------------|
+| `userId`  | User's unique identifier |
 
-This secure endpoint requires authentication using API credentials. It has been designed to delete every active session of a specified user. Default behavior is to remove the associated tokens as well.
+This secure endpoint requires authentication using API credentials. It has been designed to delete every active session of a specified user.
+Default behavior is to remove the associated tokens as well.
 
-Upon successful deletion, a `204 No Content` status is sent back. If the user doesn't exist or has no active sessions, it will also result in `204 No Content` being returned. 
+Upon successful deletion, a `204 No Content` status is sent back. If the user doesn't exist or has no active sessions, it will also result
+in `204 No Content` being returned.
 
 **Query Parameters:**
 
-| Parameter | Description | Default |
-| --- | --- | --- |
-| `removeTokens` | If true, additionally scraps all of the associated tokens. | `true` |
+| Parameter      | Description                                                | Default |
+|----------------|------------------------------------------------------------|---------|
+| `removeTokens` | If true, additionally scraps all of the associated tokens. | `true`  |
 
 ---
 
@@ -92,19 +95,22 @@ Upon successful deletion, a `204 No Content` status is sent back. If the user do
 
 Endpoint: `DELETE /oauth/api/v1/users/{userId}/sessions/{sessionId}`
 
-| Parameter | Description |
-| --- | --- |
-| `userId` | User's unique identifier |
+| Parameter   | Description                 |
+|-------------|-----------------------------|
+| `userId`    | User's unique identifier    |
 | `sessionId` | Session's unique identifier |
 
-This endpoint, protected by authentication via client credentials, removes an individual session of the user in question. By default, the associated tokens are removed too.
+This endpoint, protected by authentication via client credentials, removes an individual session of the user in question. By default, the
+associated tokens are removed too.
 
-Upon successful deletion, you'll receive a `204 No Content` status. If the user or the session is nonexistent, a status `204 No Content` is sent back as well.
+Upon successful deletion, you'll receive a `204 No Content` status. If the user or the session is nonexistent, a status `204 No Content` is
+sent back as well.
 
 **Query Parameters:**
 
-| Parameter | Description | Default |
-| --- | --- | --- |
-| `removeTokens` | If true, cleans out all of the tokens associated with the session. | `true` |
+| Parameter      | Description                                                        | Default |
+|----------------|--------------------------------------------------------------------|---------|
+| `removeTokens` | If true, cleans out all of the tokens associated with the session. | `true`  |
 
-Both of these endpoints are invaluable security tools that help you administer user sessions and ensure that older, unused sessions are appropriately terminated thereby enhancing your control over the process of user authentication.
+Both of these endpoints are invaluable security tools that help you administer user sessions and ensure that older, unused sessions are
+appropriately terminated thereby enhancing your control over the process of user authentication.
diff --git a/docs/products/access/appendix/access-events.md b/docs/products/access/appendix/access-events.md
index 0e9142cd..a85b5e33 100644
--- a/docs/products/access/appendix/access-events.md
+++ b/docs/products/access/appendix/access-events.md
@@ -217,6 +217,8 @@
 | ONEGINI IDP EXTERNAL IDPS FETCH FAILED                        | Onegini Access was unable to fetch the list of external identity providers that are configured in the [Consumer Identity Manager](https://docs-single-tenant.onegini.com/cim/stable/idp) application.                |
 | TULIP ACCESS TOKEN REQUEST FAILED                             | Request to Tulips `token` endpoint for API access token failed.                                                                                                                                                      |
 | TULIP UDH REQUEST FAILED                                      | Failed to get user data from Tulip's User Data Enhancer endpoint.                                                                                                                                                    |
+| SESSION_TERMINATION_ALL_USER_SESSIONS_TERMINATED              | All user sessions were ended.                                                                                                                                                                                        |
+| SESSION_TERMINATION_USER_SESSION_TERMINATED                   | Particular user session was ended.                                                                                                                                                                                   |
 
 ## Dynamic clients
 

From cf72c5292ff82f4a03b3930816c1efe657a55ab1 Mon Sep 17 00:00:00 2001
From: rvroon <57628485+rvroon@users.noreply.github.com>
Date: Tue, 19 Dec 2023 11:38:28 +0100
Subject: [PATCH 3/3] Release notes 19/12/23 (#339)

* Release notes 19/12/23

* Small rewording

---------

Co-authored-by: John Pavlecich <jmpavlec@gmail.com>
---
 docs/products/access/release-notes/index.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/docs/products/access/release-notes/index.md b/docs/products/access/release-notes/index.md
index 85274365..04bf1fbf 100644
--- a/docs/products/access/release-notes/index.md
+++ b/docs/products/access/release-notes/index.md
@@ -8,6 +8,14 @@ The releases are backward compatible. However, we will extend the API contract (
 
 In the release notes, we mention new features and bug fixes. If anything is unclear, feel free to contact [OneWelcome Support](https://support.onewelcome.com).
 
+## Release date 2023-12-19
+
+### Features
+* Added two new methods to the [User Sessions API](../api-reference/end-user/session.md) that make it possible to end all sessions for a given user or to end a specific session for a user.
+
+### Improvements
+* We improved our caching for the [Discovery](../api-reference/oidc/discovery.md) and JWKS endpoints so these endpoints can handle more load. 
+
 ## Release date 2023-12-11
 
 ### Features