Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

We are building an OIDC login solution with Hydra and want to have a Single Sign Out as the only sign-out strategy. This means that if the user is signing out of any of our apps, they should be signed out from all of the apps we have.

While this is generally supported via RP Initiated Logout in Hydra, the UX of it is quite bad (especially in the native apps). The reason for the bad UX is the non-customizable consent prompt on iOS (and some Android phones as well).
The dialog looks like this

We want to avoid the prompt altogether to make the sign-out experience quick and predictable for our users.

Describe your ideal solution

The ideal solution for us would be a headless/admin API to revoke the login session by the session ID (sid claim in the ID token).

Similar to the existing API that revokes all login sessions for a given subject - https://www.ory.sh/docs/reference/api#tag/oAuth2/operation/revokeOAuth2LoginSessions

We also can use an id_token_hint to get backchannel logout notifications and let the registered clients know that logout was performed. If this part is difficult, it can be skipped, since we can implement a workaround on our end for the notifications.

Workarounds or alternatives

Since there is no easy way to achieve a headless log-out now, we would have to connect directly to the DB that Hydra uses and invalidate the sessions ourselves. This is extremely hacky and would like to result in data corruption and failed login sessions.

Version

2.x

Additional Context

No response