issue doing revocation with sid

[nicolasburtey]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

I am trying to remove some login/consent entries, but not able to do so.

it may be worth mentioning that the following link from the documentation both have subject and sid with the followign description OAuth 2.0 Subject. The subject to revoke authentication sessions for. I don't know if this is just a typo or relevant to the problem I'm facing

also, I tried to play with identity_provider_session_id but while it's present in the hydra SDK, hydra return the following error when trying to add that value as part of the flow: reason:Unable to decode body because: json: unknown field "identity_provider_session_id" status:Bad Request status_code:400]

here is an example on how this was tested:

      const response2 = await hydraClient.acceptOAuth2LoginRequest({
        loginChallenge: login_challenge,
        acceptOAuth2LoginRequest: {
          subject: userId,
          remember: true,
          remember_for: 3600,
          acr: "2", // FIXME
          identity_provider_session_id: "1fe0e55d-4288-4b2e-9deb-50cb12ba796a", // TEST FIXME
        },
      });

Reproducing the bug

I have a the following list from an API call to http://localhost:4445/admin/oauth2/auth/sessions/consent:

[
  {
    grant_scope: [ 'transactions:read', 'payments:send', 'openid' ],
    grant_access_token_audience: [],
    session: { access_token: {}, id_token: {} },
    remember: true,
    remember_for: 3600,
    handled_at: '2023-10-23T20:42:19.201088Z',
    consent_request: {
      challenge: '6f0f3b6c3eca494ab3b454dd9341c581',
      requested_scope: [ 'transactions:read', 'payments:send', 'openid' ],
      requested_access_token_audience: [],
      skip: false,
      subject: '9818ea5e-30a8-4b52-879d-d34590e7250e',
      oidc_context: {},
      client: {
        client_id: 'b29e5732-2b2b-4ccc-8d66-531df7191f03',
        client_name: 'api',
        redirect_uris: [ 'http://localhost:3001/api-keys/callback' ],
        grant_types: [ 'authorization_code' ],
        response_types: [ 'code', 'id_token' ],
        scope: 'transactions:read payments:send openid',
        audience: [],
        owner: '',
        policy_uri: '',
        allowed_cors_origins: [],
        tos_uri: '',
        client_uri: '',
        logo_uri: '',
        contacts: [],
        client_secret_expires_at: 0,
        subject_type: 'public',
        jwks: {},
        token_endpoint_auth_method: 'client_secret_basic',
        request_object_signing_alg: 'RS256',
        userinfo_signed_response_alg: 'none',
        created_at: '2023-10-23T13:46:46Z',
        updated_at: '2023-10-23T13:46:45.699047Z',
        metadata: {},
        skip_consent: false,
        authorization_code_grant_access_token_lifespan: null,
        authorization_code_grant_id_token_lifespan: null,
        authorization_code_grant_refresh_token_lifespan: null,
        client_credentials_grant_access_token_lifespan: null,
        implicit_grant_access_token_lifespan: null,
        implicit_grant_id_token_lifespan: null,
        jwt_bearer_grant_access_token_lifespan: null,
        refresh_token_grant_id_token_lifespan: null,
        refresh_token_grant_access_token_lifespan: null,
        refresh_token_grant_refresh_token_lifespan: null
      },
      request_url: 'http://localhost:4444/oauth2/auth?client_id=b29e5732-2b2b-4ccc-8d66-531df7191f03&scope=transactions%3Aread%20payments%3Asend%20openid&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3001%2Fapi-keys%2Fcallback&state=d33132f5b9fb37bf',
      login_challenge: 'c9609a52a55c42f5a156e14e25c4c836',
      login_session_id: 'bf8d015d-bf11-42ba-a629-7350bc245fe6',
      acr: '2',
      amr: [],
      context: null
    }
  }
]

if I try to revoke the login using the login_session_id with the following curl command:

export session_id='bf8d015d-bf11-42ba-a629-7350bc245fe6'
curl -v -X DELETE "http://localhost:4445/admin/oauth2/auth/sessions/login?sid=$session_id"

I get the following response, but nothing has changed:

*   Trying 127.0.0.1:4445...
* Connected to localhost (127.0.0.1) port 4445 (#0)
> DELETE /admin/oauth2/auth/sessions/login?sid=bf8d015d-bf11-42ba-a629-7350bc245fe6 HTTP/1.1
> Host: localhost:4445
> User-Agent: curl/8.1.2
> Accept: */*
> 
< HTTP/1.1 204 No Content
< Cache-Control: private, no-cache, no-store, must-revalidate
< Date: Mon, 23 Oct 2023 20:46:30 GMT
< 
* Connection #0 to host localhost left intact

now if I do the following:

curl -v -X DELETE "http://localhost:4445/admin/oauth2/auth/sessions/consent?subject=$subject&client=$CLIENT_ID_APP_API_KEY"

the entry are successfully deleted. but I am trying to only delete some login/consent entries from a specific listed login_session_id

Relevant log output

No response

Relevant configuration

No response

Version

2.1.2

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

[nicolasburtey]

wondering if this PR would fix the issue I have: https://github.com/ory/hydra/pull/2844/files?