Skip to main content

v26.2.22

v26.2.22

Much faster OAuth2 logout

This change improves performance of OAuth2/OpenID Connect logout by moving to a database-free implementation. Logout challenges and verifiers are now self-contained encrypted tokens instead of database rows, and the lookup of clients registered for front- and back-channel logout uses a single indexed query.

The behavior of APIs and user interactions are unchanged. The admin endpoint GET /admin/oauth2/auth/requests/logout no longer returns 410 Gone for already-handled logout requests, because handled state no longer exists.

Upgrade notes:

  • Run SQL migrations before rolling out this version. The new client lookup query requires the index added by this release; on CockroachDB the query fails if the index is missing.
  • Logout flows that are in flight while the upgrade rolls out fail with "logout request expired". Users retrying complete normally on the new version.

Revoke login sessions by subject in batches

Revoking all login sessions for a subject through DELETE /admin/oauth2/auth/sessions/login?subject=... now deletes the sessions in bounded batches instead of a single statement.

Previously, a subject with a very large number of login sessions produced a single, very large delete that could exceed the database's transaction limits or time out, failing with a "context canceled" error and leaving the sessions in place. Deleting in batches keeps each transaction small, so the request completes reliably regardless of how many sessions a subject has.

The endpoint's behavior is unchanged for callers: all matching login sessions are removed. If the request is canceled partway through, the sessions deleted so far stay deleted and the call can be safely retried to finish the rest.