feat(oidc): end session by id_token_hint and without cookie (#8542)

# Which Problems Are Solved

The end_session_endpoint currently always requires the userAgent cookie
to be able to terminate session created through the hosted login UI.
Only tokens issued through the Login V2 can be used to directly
terminate a specific session and without the need of a cookie.
This PR adds the possibility to terminate a single V1 session or all V1
sessions belonging to the same user agent without the need of the
userAgent cookie by providing an id_token as `id_token_hint` which
contains the id of a V1 session as `sid`.

# How the Problems Are Solved

- #8525 added the `sid` claim for id_tokens issued through the login UI
- The `sid` can now be checked for the `V1_` prefix and queries for
either the userAgentID and depending on the
`OIDCSingleV1SessionTermination` flag all userIDs of active session from
the same user agent id
- The `OIDCSingleV1SessionTermination` flag is added with default value
false to keep the existing behavior of terminating all sessions even in
case of providing an id_token_hint

# Additional Changes

- pass `context.Context` into session view functions for querying the
database with that context

# Additional Context

- relates to #8499 
- closes #8501

internal/api/grpc/feature/v2/converter.go

@@ -17,6 +17,7 @@ func systemFeaturesToCommand(req *feature_pb.SetSystemFeaturesRequest) *command.
 		Actions:                         req.Actions,
 		TokenExchange:                   req.OidcTokenExchange,
 		ImprovedPerformance:             improvedPerformanceListToDomain(req.ImprovedPerformance),
+		OIDCSingleV1SessionTermination:  req.OidcSingleV1SessionTermination,
 	}
 }
 
@@ -30,6 +31,7 @@ func systemFeaturesToPb(f *query.SystemFeatures) *feature_pb.GetSystemFeaturesRe
 		OidcTokenExchange:                   featureSourceToFlagPb(&f.TokenExchange),
 		Actions:                             featureSourceToFlagPb(&f.Actions),
 		ImprovedPerformance:                 featureSourceToImprovedPerformanceFlagPb(&f.ImprovedPerformance),
+		OidcSingleV1SessionTermination:      featureSourceToFlagPb(&f.OIDCSingleV1SessionTermination),
 	}
 }
 
@@ -44,6 +46,7 @@ func instanceFeaturesToCommand(req *feature_pb.SetInstanceFeaturesRequest) *comm
 		ImprovedPerformance:             improvedPerformanceListToDomain(req.ImprovedPerformance),
 		WebKey:                          req.WebKey,
 		DebugOIDCParentError:            req.DebugOidcParentError,
+		OIDCSingleV1SessionTermination:  req.OidcSingleV1SessionTermination,
 	}
 }
 
@@ -59,6 +62,7 @@ func instanceFeaturesToPb(f *query.InstanceFeatures) *feature_pb.GetInstanceFeat
 		ImprovedPerformance:                 featureSourceToImprovedPerformanceFlagPb(&f.ImprovedPerformance),
 		WebKey:                              featureSourceToFlagPb(&f.WebKey),
 		DebugOidcParentError:                featureSourceToFlagPb(&f.DebugOIDCParentError),
+		OidcSingleV1SessionTermination:      featureSourceToFlagPb(&f.OIDCSingleV1SessionTermination),
 	}
 }
 

internal/api/grpc/feature/v2/converter_test.go

@@ -25,6 +25,7 @@ func Test_systemFeaturesToCommand(t *testing.T) {
 		Actions:                             gu.Ptr(true),
 		OidcTokenExchange:                   gu.Ptr(true),
 		ImprovedPerformance:                 nil,
+		OidcSingleV1SessionTermination:      gu.Ptr(true),
 	}
 	want := &command.SystemFeatures{
 		LoginDefaultOrg:                 gu.Ptr(true),
@@ -34,6 +35,7 @@ func Test_systemFeaturesToCommand(t *testing.T) {
 		Actions:                         gu.Ptr(true),
 		TokenExchange:                   gu.Ptr(true),
 		ImprovedPerformance:             nil,
+		OIDCSingleV1SessionTermination:  gu.Ptr(true),
 	}
 	got := systemFeaturesToCommand(arg)
 	assert.Equal(t, want, got)
@@ -74,6 +76,10 @@ func Test_systemFeaturesToPb(t *testing.T) {
 			Level: feature.LevelSystem,
 			Value: []feature.ImprovedPerformanceType{feature.ImprovedPerformanceTypeOrgByID},
 		},
+		OIDCSingleV1SessionTermination: query.FeatureSource[bool]{
+			Level: feature.LevelSystem,
+			Value: true,
+		},
 	}
 	want := &feature_pb.GetSystemFeaturesResponse{
 		Details: &object.Details{
@@ -109,6 +115,10 @@ func Test_systemFeaturesToPb(t *testing.T) {
 			ExecutionPaths: []feature_pb.ImprovedPerformance{feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_ORG_BY_ID},
 			Source:         feature_pb.Source_SOURCE_SYSTEM,
 		},
+		OidcSingleV1SessionTermination: &feature_pb.FeatureFlag{
+			Enabled: true,
+			Source:  feature_pb.Source_SOURCE_SYSTEM,
+		},
 	}
 	got := systemFeaturesToPb(arg)
 	assert.Equal(t, want, got)
@@ -124,6 +134,8 @@ func Test_instanceFeaturesToCommand(t *testing.T) {
 		Actions:                             gu.Ptr(true),
 		ImprovedPerformance:                 nil,
 		WebKey:                              gu.Ptr(true),
+		DebugOidcParentError:                gu.Ptr(true),
+		OidcSingleV1SessionTermination:      gu.Ptr(true),
 	}
 	want := &command.InstanceFeatures{
 		LoginDefaultOrg:                 gu.Ptr(true),
@@ -134,6 +146,8 @@ func Test_instanceFeaturesToCommand(t *testing.T) {
 		Actions:                         gu.Ptr(true),
 		ImprovedPerformance:             nil,
 		WebKey:                          gu.Ptr(true),
+		DebugOIDCParentError:            gu.Ptr(true),
+		OIDCSingleV1SessionTermination:  gu.Ptr(true),
 	}
 	got := instanceFeaturesToCommand(arg)
 	assert.Equal(t, want, got)
@@ -178,6 +192,10 @@ func Test_instanceFeaturesToPb(t *testing.T) {
 			Level: feature.LevelInstance,
 			Value: true,
 		},
+		OIDCSingleV1SessionTermination: query.FeatureSource[bool]{
+			Level: feature.LevelInstance,
+			Value: true,
+		},
 	}
 	want := &feature_pb.GetInstanceFeaturesResponse{
 		Details: &object.Details{
@@ -221,6 +239,10 @@ func Test_instanceFeaturesToPb(t *testing.T) {
 			Enabled: false,
 			Source:  feature_pb.Source_SOURCE_UNSPECIFIED,
 		},
+		OidcSingleV1SessionTermination: &feature_pb.FeatureFlag{
+			Enabled: true,
+			Source:  feature_pb.Source_SOURCE_INSTANCE,
+		},
 	}
 	got := instanceFeaturesToPb(arg)
 	assert.Equal(t, want, got)

internal/api/grpc/feature/v2beta/converter.go

@@ -17,6 +17,7 @@ func systemFeaturesToCommand(req *feature_pb.SetSystemFeaturesRequest) *command.
 		Actions:                         req.Actions,
 		TokenExchange:                   req.OidcTokenExchange,
 		ImprovedPerformance:             improvedPerformanceListToDomain(req.ImprovedPerformance),
+		OIDCSingleV1SessionTermination:  req.OidcSingleV1SessionTermination,
 	}
 }
 
@@ -30,6 +31,7 @@ func systemFeaturesToPb(f *query.SystemFeatures) *feature_pb.GetSystemFeaturesRe
 		OidcTokenExchange:                   featureSourceToFlagPb(&f.TokenExchange),
 		Actions:                             featureSourceToFlagPb(&f.Actions),
 		ImprovedPerformance:                 featureSourceToImprovedPerformanceFlagPb(&f.ImprovedPerformance),
+		OidcSingleV1SessionTermination:      featureSourceToFlagPb(&f.OIDCSingleV1SessionTermination),
 	}
 }
 
@@ -44,6 +46,7 @@ func instanceFeaturesToCommand(req *feature_pb.SetInstanceFeaturesRequest) *comm
 		ImprovedPerformance:             improvedPerformanceListToDomain(req.ImprovedPerformance),
 		WebKey:                          req.WebKey,
 		DebugOIDCParentError:            req.DebugOidcParentError,
+		OIDCSingleV1SessionTermination:  req.OidcSingleV1SessionTermination,
 	}
 }
 
@@ -59,6 +62,7 @@ func instanceFeaturesToPb(f *query.InstanceFeatures) *feature_pb.GetInstanceFeat
 		ImprovedPerformance:                 featureSourceToImprovedPerformanceFlagPb(&f.ImprovedPerformance),
 		WebKey:                              featureSourceToFlagPb(&f.WebKey),
 		DebugOidcParentError:                featureSourceToFlagPb(&f.DebugOIDCParentError),
+		OidcSingleV1SessionTermination:      featureSourceToFlagPb(&f.OIDCSingleV1SessionTermination),
 	}
 }
 

internal/api/grpc/feature/v2beta/converter_test.go

@@ -25,6 +25,7 @@ func Test_systemFeaturesToCommand(t *testing.T) {
 		Actions:                             gu.Ptr(true),
 		OidcTokenExchange:                   gu.Ptr(true),
 		ImprovedPerformance:                 nil,
+		OidcSingleV1SessionTermination:      gu.Ptr(true),
 	}
 	want := &command.SystemFeatures{
 		LoginDefaultOrg:                 gu.Ptr(true),
@@ -34,6 +35,7 @@ func Test_systemFeaturesToCommand(t *testing.T) {
 		Actions:                         gu.Ptr(true),
 		TokenExchange:                   gu.Ptr(true),
 		ImprovedPerformance:             nil,
+		OIDCSingleV1SessionTermination:  gu.Ptr(true),
 	}
 	got := systemFeaturesToCommand(arg)
 	assert.Equal(t, want, got)
@@ -74,6 +76,10 @@ func Test_systemFeaturesToPb(t *testing.T) {
 			Level: feature.LevelSystem,
 			Value: []feature.ImprovedPerformanceType{feature.ImprovedPerformanceTypeOrgByID},
 		},
+		OIDCSingleV1SessionTermination: query.FeatureSource[bool]{
+			Level: feature.LevelSystem,
+			Value: true,
+		},
 	}
 	want := &feature_pb.GetSystemFeaturesResponse{
 		Details: &object.Details{
@@ -109,6 +115,10 @@ func Test_systemFeaturesToPb(t *testing.T) {
 			ExecutionPaths: []feature_pb.ImprovedPerformance{feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_ORG_BY_ID},
 			Source:         feature_pb.Source_SOURCE_SYSTEM,
 		},
+		OidcSingleV1SessionTermination: &feature_pb.FeatureFlag{
+			Enabled: true,
+			Source:  feature_pb.Source_SOURCE_SYSTEM,
+		},
 	}
 	got := systemFeaturesToPb(arg)
 	assert.Equal(t, want, got)
@@ -124,6 +134,7 @@ func Test_instanceFeaturesToCommand(t *testing.T) {
 		Actions:                             gu.Ptr(true),
 		ImprovedPerformance:                 nil,
 		WebKey:                              gu.Ptr(true),
+		OidcSingleV1SessionTermination:      gu.Ptr(true),
 	}
 	want := &command.InstanceFeatures{
 		LoginDefaultOrg:                 gu.Ptr(true),
@@ -134,6 +145,7 @@ func Test_instanceFeaturesToCommand(t *testing.T) {
 		Actions:                         gu.Ptr(true),
 		ImprovedPerformance:             nil,
 		WebKey:                          gu.Ptr(true),
+		OIDCSingleV1SessionTermination:  gu.Ptr(true),
 	}
 	got := instanceFeaturesToCommand(arg)
 	assert.Equal(t, want, got)
@@ -178,6 +190,10 @@ func Test_instanceFeaturesToPb(t *testing.T) {
 			Level: feature.LevelInstance,
 			Value: true,
 		},
+		OIDCSingleV1SessionTermination: query.FeatureSource[bool]{
+			Level: feature.LevelInstance,
+			Value: true,
+		},
 	}
 	want := &feature_pb.GetInstanceFeaturesResponse{
 		Details: &object.Details{
@@ -221,6 +237,10 @@ func Test_instanceFeaturesToPb(t *testing.T) {
 			Enabled: false,
 			Source:  feature_pb.Source_SOURCE_UNSPECIFIED,
 		},
+		OidcSingleV1SessionTermination: &feature_pb.FeatureFlag{
+			Enabled: true,
+			Source:  feature_pb.Source_SOURCE_INSTANCE,
+		},
 	}
 	got := instanceFeaturesToPb(arg)
 	assert.Equal(t, want, got)

internal/api/oidc/auth_request.go

@@ -16,6 +16,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/authz"
 	http_utils "github.com/zitadel/zitadel/internal/api/http"
 	"github.com/zitadel/zitadel/internal/api/http/middleware"
+	"github.com/zitadel/zitadel/internal/auth/repository/eventsourcing/handler"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query"
@@ -245,11 +246,20 @@ func (o *OPStorage) TerminateSessionFromRequest(ctx context.Context, endSessionR
 	}
 
 	// If there is no login client header and no id_token_hint or the id_token_hint does not have a session ID,
-	// do a v1 Terminate session.
+	// do a v1 Terminate session (which terminates all sessions of the user agent, identified by cookie).
 	if endSessionRequest.IDTokenHintClaims == nil || endSessionRequest.IDTokenHintClaims.SessionID == "" {
 		return endSessionRequest.RedirectURI, o.TerminateSession(ctx, endSessionRequest.UserID, endSessionRequest.ClientID)
 	}
 
+	// If the sessionID is prefixed by V1, we also terminate a v1 session.
+	if strings.HasPrefix(endSessionRequest.IDTokenHintClaims.SessionID, handler.IDPrefixV1) {
+		err = o.terminateV1Session(ctx, endSessionRequest.UserID, endSessionRequest.IDTokenHintClaims.SessionID)
+		if err != nil {
+			return "", err
+		}
+		return endSessionRequest.RedirectURI, nil
+	}
+
 	// terminate the v2 session of the id_token_hint
 	_, err = o.command.TerminateSessionWithoutTokenCheck(ctx, endSessionRequest.IDTokenHintClaims.SessionID)
 	if err != nil {
@@ -258,6 +268,30 @@ func (o *OPStorage) TerminateSessionFromRequest(ctx context.Context, endSessionR
 	return endSessionRequest.RedirectURI, nil
 }
 
+// terminateV1Session terminates "v1" sessions created through the login UI.
+// Depending on the flag, we either terminate a single session or all of the user agent
+func (o *OPStorage) terminateV1Session(ctx context.Context, userID, sessionID string) error {
+	ctx = authz.SetCtxData(ctx, authz.CtxData{UserID: userID})
+	// if the flag is active we only terminate the specific session
+	if authz.GetFeatures(ctx).OIDCSingleV1SessionTermination {
+		userAgentID, err := o.repo.UserAgentIDBySessionID(ctx, sessionID)
+		if err != nil {
+			return err
+		}
+		return o.command.HumansSignOut(ctx, userAgentID, []string{userID})
+	}
+	// otherwise we search for all active sessions within the same user agent of the current session id
+	userAgentID, userIDs, err := o.repo.ActiveUserIDsBySessionID(ctx, sessionID)
+	if err != nil {
+		logging.WithError(err).Error("error retrieving user sessions")
+		return err
+	}
+	if len(userIDs) == 0 {
+		return nil
+	}
+	return o.command.HumansSignOut(ctx, userAgentID, userIDs)
+}
+
 func (o *OPStorage) RevokeToken(ctx context.Context, token, userID, clientID string) (err *oidc.Error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() {

internal/auth/repository/eventsourcing/eventstore/auth_request.go

@@ -74,8 +74,8 @@ type privacyPolicyProvider interface {
 }
 
 type userSessionViewProvider interface {
-	UserSessionByIDs(string, string, string) (*user_view_model.UserSessionView, error)
-	UserSessionsByAgentID(string, string) ([]*user_view_model.UserSessionView, error)
+	UserSessionByIDs(context.Context, string, string, string) (*user_view_model.UserSessionView, error)
+	UserSessionsByAgentID(context.Context, string, string) ([]*user_view_model.UserSessionView, error)
 	GetLatestUserSessionSequence(ctx context.Context, instanceID string) (*query.CurrentState, error)
 }
 
@@ -1533,7 +1533,7 @@ func userSessionsByUserAgentID(ctx context.Context, provider userSessionViewProv
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
-	session, err := provider.UserSessionsByAgentID(agentID, instanceID)
+	session, err := provider.UserSessionsByAgentID(ctx, agentID, instanceID)
 	if err != nil {
 		return nil, err
 	}
@@ -1573,7 +1573,7 @@ func userSessionByIDs(ctx context.Context, provider userSessionViewProvider, eve
 		OnError(err).
 		Errorf("could not get current sequence for userSessionByIDs")
 
-	session, err := provider.UserSessionByIDs(agentID, user.ID, instanceID)
+	session, err := provider.UserSessionByIDs(ctx, agentID, user.ID, instanceID)
 	if err != nil {
 		if !zerrors.IsNotFound(err) {
 			return nil, err

internal/auth/repository/eventsourcing/eventstore/auth_request_test.go

@@ -34,11 +34,11 @@ var (
 
 type mockViewNoUserSession struct{}
 
-func (m *mockViewNoUserSession) UserSessionByIDs(string, string, string) (*user_view_model.UserSessionView, error) {
+func (m *mockViewNoUserSession) UserSessionByIDs(context.Context, string, string, string) (*user_view_model.UserSessionView, error) {
 	return nil, zerrors.ThrowNotFound(nil, "id", "user session not found")
 }
 
-func (m *mockViewNoUserSession) UserSessionsByAgentID(string, string) ([]*user_view_model.UserSessionView, error) {
+func (m *mockViewNoUserSession) UserSessionsByAgentID(context.Context, string, string) ([]*user_view_model.UserSessionView, error) {
 	return nil, nil
 }
 
@@ -48,11 +48,11 @@ func (m *mockViewNoUserSession) GetLatestUserSessionSequence(ctx context.Context
 
 type mockViewErrUserSession struct{}
 
-func (m *mockViewErrUserSession) UserSessionByIDs(string, string, string) (*user_view_model.UserSessionView, error) {
+func (m *mockViewErrUserSession) UserSessionByIDs(context.Context, string, string, string) (*user_view_model.UserSessionView, error) {
 	return nil, zerrors.ThrowInternal(nil, "id", "internal error")
 }
 
-func (m *mockViewErrUserSession) UserSessionsByAgentID(string, string) ([]*user_view_model.UserSessionView, error) {
+func (m *mockViewErrUserSession) UserSessionsByAgentID(context.Context, string, string) ([]*user_view_model.UserSessionView, error) {
 	return nil, zerrors.ThrowInternal(nil, "id", "internal error")
 }
 
@@ -76,7 +76,7 @@ type mockUser struct {
 	SessionState  domain.UserSessionState
 }
 
-func (m *mockViewUserSession) UserSessionByIDs(string, string, string) (*user_view_model.UserSessionView, error) {
+func (m *mockViewUserSession) UserSessionByIDs(context.Context, string, string, string) (*user_view_model.UserSessionView, error) {
 	return &user_view_model.UserSessionView{
 		ExternalLoginVerification: sql.NullTime{Time: m.ExternalLoginVerification},
 		PasswordlessVerification:  sql.NullTime{Time: m.PasswordlessVerification},
@@ -86,7 +86,7 @@ func (m *mockViewUserSession) UserSessionByIDs(string, string, string) (*user_vi
 	}, nil
 }
 
-func (m *mockViewUserSession) UserSessionsByAgentID(string, string) ([]*user_view_model.UserSessionView, error) {
+func (m *mockViewUserSession) UserSessionsByAgentID(context.Context, string, string) ([]*user_view_model.UserSessionView, error) {
 	sessions := make([]*user_view_model.UserSessionView, len(m.Users))
 	for i, user := range m.Users {
 		sessions[i] = &user_view_model.UserSessionView{

internal/auth/repository/eventsourcing/eventstore/user.go

@@ -28,7 +28,7 @@ func (repo *UserRepo) Health(ctx context.Context) error {
 }
 
 func (repo *UserRepo) UserSessionUserIDsByAgentID(ctx context.Context, agentID string) ([]string, error) {
-	userSessions, err := repo.View.UserSessionsByAgentID(agentID, authz.GetInstance(ctx).InstanceID())
+	userSessions, err := repo.View.UserSessionsByAgentID(ctx, agentID, authz.GetInstance(ctx).InstanceID())
 	if err != nil {
 		return nil, err
 	}
@@ -41,6 +41,14 @@ func (repo *UserRepo) UserSessionUserIDsByAgentID(ctx context.Context, agentID s
 	return userIDs, nil
 }
 
+func (repo *UserRepo) UserAgentIDBySessionID(ctx context.Context, sessionID string) (string, error) {
+	return repo.View.UserAgentIDBySessionID(ctx, sessionID, authz.GetInstance(ctx).InstanceID())
+}
+
+func (repo *UserRepo) ActiveUserIDsBySessionID(ctx context.Context, sessionID string) (userAgentID string, userIDs []string, err error) {
+	return repo.View.ActiveUserIDsBySessionID(ctx, sessionID, authz.GetInstance(ctx).InstanceID())
+}
+
 func (repo *UserRepo) UserEventsByID(ctx context.Context, id string, changeDate time.Time, eventTypes []eventstore.EventType) ([]eventstore.Event, error) {
 	query, err := usr_view.UserByIDQuery(id, authz.GetInstance(ctx).InstanceID(), changeDate, eventTypes)
 	if err != nil {

internal/auth/repository/eventsourcing/eventstore/user_session.go

@@ -14,7 +14,7 @@ type UserSessionRepo struct {
 }
 
 func (repo *UserSessionRepo) GetMyUserSessions(ctx context.Context) ([]*usr_model.UserSessionView, error) {
-	userSessions, err := repo.View.UserSessionsByAgentID(authz.GetCtxData(ctx).AgentID, authz.GetInstance(ctx).InstanceID())
+	userSessions, err := repo.View.UserSessionsByAgentID(ctx, authz.GetCtxData(ctx).AgentID, authz.GetInstance(ctx).InstanceID())
 	if err != nil {
 		return nil, err
 	}

internal/auth/repository/eventsourcing/view/user_session.go

@@ -12,12 +12,20 @@ const (
 	userSessionTable = "auth.user_sessions"
 )
 
-func (v *View) UserSessionByIDs(agentID, userID, instanceID string) (*model.UserSessionView, error) {
-	return view.UserSessionByIDs(v.client, agentID, userID, instanceID)
+func (v *View) UserSessionByIDs(ctx context.Context, agentID, userID, instanceID string) (*model.UserSessionView, error) {
+	return view.UserSessionByIDs(ctx, v.client, agentID, userID, instanceID)
 }
 
-func (v *View) UserSessionsByAgentID(agentID, instanceID string) ([]*model.UserSessionView, error) {
-	return view.UserSessionsByAgentID(v.client, agentID, instanceID)
+func (v *View) UserSessionsByAgentID(ctx context.Context, agentID, instanceID string) ([]*model.UserSessionView, error) {
+	return view.UserSessionsByAgentID(ctx, v.client, agentID, instanceID)
+}
+
+func (v *View) UserAgentIDBySessionID(ctx context.Context, sessionID, instanceID string) (string, error) {
+	return view.UserAgentIDBySessionID(ctx, v.client, sessionID, instanceID)
+}
+
+func (v *View) ActiveUserIDsBySessionID(ctx context.Context, sessionID, instanceID string) (userAgentID string, userIDs []string, err error) {
+	return view.ActiveUserIDsBySessionID(ctx, v.client, sessionID, instanceID)
 }
 
 func (v *View) GetLatestUserSessionSequence(ctx context.Context, instanceID string) (_ *query.CurrentState, err error) {

internal/auth/repository/user.go

@@ -6,4 +6,6 @@ import (
 
 type UserRepository interface {
 	UserSessionUserIDsByAgentID(ctx context.Context, agentID string) ([]string, error)
+	UserAgentIDBySessionID(ctx context.Context, sessionID string) (string, error)
+	ActiveUserIDsBySessionID(ctx context.Context, sessionID string) (userAgentID string, userIDs []string, err error)
 }

internal/command/instance_features.go

@@ -25,6 +25,7 @@ type InstanceFeatures struct {
 	ImprovedPerformance             []feature.ImprovedPerformanceType
 	WebKey                          *bool
 	DebugOIDCParentError            *bool
+	OIDCSingleV1SessionTermination  *bool
 }
 
 func (m *InstanceFeatures) isEmpty() bool {
@@ -37,7 +38,8 @@ func (m *InstanceFeatures) isEmpty() bool {
 		// nil check to allow unset improvements
 		m.ImprovedPerformance == nil &&
 		m.WebKey == nil &&
-		m.DebugOIDCParentError == nil
+		m.DebugOIDCParentError == nil &&
+		m.OIDCSingleV1SessionTermination == nil
 }
 
 func (c *Commands) SetInstanceFeatures(ctx context.Context, f *InstanceFeatures) (*domain.ObjectDetails, error) {

internal/command/instance_features_model.go

@@ -69,6 +69,7 @@ func (m *InstanceFeaturesWriteModel) Query() *eventstore.SearchQueryBuilder {
 			feature_v2.InstanceImprovedPerformanceEventType,
 			feature_v2.InstanceWebKeyEventType,
 			feature_v2.InstanceDebugOIDCParentErrorEventType,
+			feature_v2.InstanceOIDCSingleV1SessionTerminationEventType,
 		).
 		Builder().ResourceOwner(m.ResourceOwner)
 }
@@ -108,6 +109,9 @@ func reduceInstanceFeature(features *InstanceFeatures, key feature.Key, value an
 	case feature.KeyDebugOIDCParentError:
 		v := value.(bool)
 		features.DebugOIDCParentError = &v
+	case feature.KeyOIDCSingleV1SessionTermination:
+		v := value.(bool)
+		features.OIDCSingleV1SessionTermination = &v
 	}
 }
 
@@ -123,5 +127,6 @@ func (wm *InstanceFeaturesWriteModel) setCommands(ctx context.Context, f *Instan
 	cmds = appendFeatureSliceUpdate(ctx, cmds, aggregate, wm.ImprovedPerformance, f.ImprovedPerformance, feature_v2.InstanceImprovedPerformanceEventType)
 	cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.WebKey, f.WebKey, feature_v2.InstanceWebKeyEventType)
 	cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.DebugOIDCParentError, f.DebugOIDCParentError, feature_v2.InstanceDebugOIDCParentErrorEventType)
+	cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.OIDCSingleV1SessionTermination, f.OIDCSingleV1SessionTermination, feature_v2.InstanceOIDCSingleV1SessionTerminationEventType)
 	return cmds
 }

internal/command/instance_features_test.go

@@ -208,6 +208,10 @@ func TestCommands_SetInstanceFeatures(t *testing.T) {
 						ctx, aggregate,
 						feature_v2.InstanceActionsEventType, true,
 					),
+					feature_v2.NewSetEvent[bool](
+						ctx, aggregate,
+						feature_v2.InstanceOIDCSingleV1SessionTerminationEventType, true,
+					),
 				),
 			),
 			args: args{ctx, &InstanceFeatures{
@@ -216,6 +220,7 @@ func TestCommands_SetInstanceFeatures(t *testing.T) {
 				LegacyIntrospection:             gu.Ptr(true),
 				UserSchema:                      gu.Ptr(true),
 				Actions:                         gu.Ptr(true),
+				OIDCSingleV1SessionTermination:  gu.Ptr(true),
 			}},
 			want: &domain.ObjectDetails{
 				ResourceOwner: "instance1",
@@ -246,6 +251,10 @@ func TestCommands_SetInstanceFeatures(t *testing.T) {
 						ctx, aggregate,
 						feature_v2.InstanceLegacyIntrospectionEventType, true,
 					)),
+					feature_v2.NewSetEvent[bool](
+						context.Background(), aggregate,
+						feature_v2.InstanceOIDCSingleV1SessionTerminationEventType, false,
+					),
 				),
 				expectPush(
 					feature_v2.NewSetEvent[bool](
@@ -262,6 +271,7 @@ func TestCommands_SetInstanceFeatures(t *testing.T) {
 				LoginDefaultOrg:                 gu.Ptr(true),
 				TriggerIntrospectionProjections: gu.Ptr(false),
 				LegacyIntrospection:             gu.Ptr(true),
+				OIDCSingleV1SessionTermination:  gu.Ptr(false),
 			}},
 			want: &domain.ObjectDetails{
 				ResourceOwner: "instance1",

internal/command/system_features.go

@@ -17,6 +17,7 @@ type SystemFeatures struct {
 	UserSchema                      *bool
 	Actions                         *bool
 	ImprovedPerformance             []feature.ImprovedPerformanceType
+	OIDCSingleV1SessionTermination  *bool
 }
 
 func (m *SystemFeatures) isEmpty() bool {
@@ -27,7 +28,8 @@ func (m *SystemFeatures) isEmpty() bool {
 		m.TokenExchange == nil &&
 		m.Actions == nil &&
 		// nil check to allow unset improvements
-		m.ImprovedPerformance == nil
+		m.ImprovedPerformance == nil &&
+		m.OIDCSingleV1SessionTermination == nil
 }
 
 func (c *Commands) SetSystemFeatures(ctx context.Context, f *SystemFeatures) (*domain.ObjectDetails, error) {

internal/command/system_features_model.go

@@ -60,6 +60,7 @@ func (m *SystemFeaturesWriteModel) Query() *eventstore.SearchQueryBuilder {
 			feature_v2.SystemTokenExchangeEventType,
 			feature_v2.SystemActionsEventType,
 			feature_v2.SystemImprovedPerformanceEventType,
+			feature_v2.SystemOIDCSingleV1SessionTerminationEventType,
 		).
 		Builder().ResourceOwner(m.ResourceOwner)
 }
@@ -92,6 +93,9 @@ func reduceSystemFeature(features *SystemFeatures, key feature.Key, value any) {
 		features.Actions = &v
 	case feature.KeyImprovedPerformance:
 		features.ImprovedPerformance = value.([]feature.ImprovedPerformanceType)
+	case feature.KeyOIDCSingleV1SessionTermination:
+		v := value.(bool)
+		features.OIDCSingleV1SessionTermination = &v
 	}
 }
 
@@ -105,6 +109,7 @@ func (wm *SystemFeaturesWriteModel) setCommands(ctx context.Context, f *SystemFe
 	cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.TokenExchange, f.TokenExchange, feature_v2.SystemTokenExchangeEventType)
 	cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.Actions, f.Actions, feature_v2.SystemActionsEventType)
 	cmds = appendFeatureSliceUpdate(ctx, cmds, aggregate, wm.ImprovedPerformance, f.ImprovedPerformance, feature_v2.SystemImprovedPerformanceEventType)
+	cmds = appendFeatureUpdate(ctx, cmds, aggregate, wm.OIDCSingleV1SessionTermination, f.OIDCSingleV1SessionTermination, feature_v2.SystemOIDCSingleV1SessionTerminationEventType)
 	return cmds
 }
 

internal/command/system_features_test.go

@@ -176,6 +176,10 @@ func TestCommands_SetSystemFeatures(t *testing.T) {
 						context.Background(), aggregate,
 						feature_v2.SystemActionsEventType, true,
 					),
+					feature_v2.NewSetEvent[bool](
+						context.Background(), aggregate,
+						feature_v2.SystemOIDCSingleV1SessionTerminationEventType, true,
+					),
 				),
 			),
 			args: args{context.Background(), &SystemFeatures{
@@ -184,6 +188,7 @@ func TestCommands_SetSystemFeatures(t *testing.T) {
 				LegacyIntrospection:             gu.Ptr(true),
 				UserSchema:                      gu.Ptr(true),
 				Actions:                         gu.Ptr(true),
+				OIDCSingleV1SessionTermination:  gu.Ptr(true),
 			}},
 			want: &domain.ObjectDetails{
 				ResourceOwner: "SYSTEM",
@@ -232,6 +237,10 @@ func TestCommands_SetSystemFeatures(t *testing.T) {
 						context.Background(), aggregate,
 						feature_v2.SystemActionsEventType, false,
 					),
+					feature_v2.NewSetEvent[bool](
+						context.Background(), aggregate,
+						feature_v2.SystemOIDCSingleV1SessionTerminationEventType, false,
+					),
 				),
 			),
 			args: args{context.Background(), &SystemFeatures{
@@ -240,6 +249,7 @@ func TestCommands_SetSystemFeatures(t *testing.T) {
 				LegacyIntrospection:             gu.Ptr(true),
 				UserSchema:                      gu.Ptr(true),
 				Actions:                         gu.Ptr(false),
+				OIDCSingleV1SessionTermination:  gu.Ptr(false),
 			}},
 			want: &domain.ObjectDetails{
 				ResourceOwner: "SYSTEM",

internal/feature/feature.go

@@ -16,6 +16,7 @@ const (
 	KeyImprovedPerformance
 	KeyWebKey
 	KeyDebugOIDCParentError
+	KeyOIDCSingleV1SessionTermination
 )
 
 //go:generate enumer -type Level -transform snake -trimprefix Level
@@ -41,6 +42,7 @@ type Features struct {
 	ImprovedPerformance             []ImprovedPerformanceType `json:"improved_performance,omitempty"`
 	WebKey                          bool                      `json:"web_key,omitempty"`
 	DebugOIDCParentError            bool                      `json:"debug_oidc_parent_error,omitempty"`
+	OIDCSingleV1SessionTermination  bool                      `json:"terminate_single_v1_session,omitempty"`
 }
 
 type ImprovedPerformanceType int32

internal/feature/key_enumer.go

@@ -7,11 +7,11 @@ import (
 	"strings"
 )
 
-const _KeyName = "unspecifiedlogin_default_orgtrigger_introspection_projectionslegacy_introspectionuser_schematoken_exchangeactionsimproved_performanceweb_keydebug_oidc_parent_error"
+const _KeyName = "unspecifiedlogin_default_orgtrigger_introspection_projectionslegacy_introspectionuser_schematoken_exchangeactionsimproved_performanceweb_keydebug_oidc_parent_errorterminate_single_v1_session"
 
-var _KeyIndex = [...]uint8{0, 11, 28, 61, 81, 92, 106, 113, 133, 140, 163}
+var _KeyIndex = [...]uint8{0, 11, 28, 61, 81, 92, 106, 113, 133, 140, 163, 190}
 
-const _KeyLowerName = "unspecifiedlogin_default_orgtrigger_introspection_projectionslegacy_introspectionuser_schematoken_exchangeactionsimproved_performanceweb_keydebug_oidc_parent_error"
+const _KeyLowerName = "unspecifiedlogin_default_orgtrigger_introspection_projectionslegacy_introspectionuser_schematoken_exchangeactionsimproved_performanceweb_keydebug_oidc_parent_errorterminate_single_v1_session"
 
 func (i Key) String() string {
 	if i < 0 || i >= Key(len(_KeyIndex)-1) {
@@ -34,9 +34,10 @@ func _KeyNoOp() {
 	_ = x[KeyImprovedPerformance-(7)]
 	_ = x[KeyWebKey-(8)]
 	_ = x[KeyDebugOIDCParentError-(9)]
+	_ = x[KeyOIDCSingleV1SessionTermination-(10)]
 }
 
-var _KeyValues = []Key{KeyUnspecified, KeyLoginDefaultOrg, KeyTriggerIntrospectionProjections, KeyLegacyIntrospection, KeyUserSchema, KeyTokenExchange, KeyActions, KeyImprovedPerformance, KeyWebKey, KeyDebugOIDCParentError}
+var _KeyValues = []Key{KeyUnspecified, KeyLoginDefaultOrg, KeyTriggerIntrospectionProjections, KeyLegacyIntrospection, KeyUserSchema, KeyTokenExchange, KeyActions, KeyImprovedPerformance, KeyWebKey, KeyDebugOIDCParentError, KeyOIDCSingleV1SessionTermination}
 
 var _KeyNameToValueMap = map[string]Key{
 	_KeyName[0:11]:         KeyUnspecified,
@@ -59,6 +60,8 @@ var _KeyNameToValueMap = map[string]Key{
 	_KeyLowerName[133:140]: KeyWebKey,
 	_KeyName[140:163]:      KeyDebugOIDCParentError,
 	_KeyLowerName[140:163]: KeyDebugOIDCParentError,
+	_KeyName[163:190]:      KeyOIDCSingleV1SessionTermination,
+	_KeyLowerName[163:190]: KeyOIDCSingleV1SessionTermination,
 }
 
 var _KeyNames = []string{
@@ -72,6 +75,7 @@ var _KeyNames = []string{
 	_KeyName[113:133],
 	_KeyName[133:140],
 	_KeyName[140:163],
+	_KeyName[163:190],
 }
 
 // KeyString retrieves an enum value from the enum constants string name.

internal/query/instance_features.go

@@ -18,6 +18,7 @@ type InstanceFeatures struct {
 	ImprovedPerformance             FeatureSource[[]feature.ImprovedPerformanceType]
 	WebKey                          FeatureSource[bool]
 	DebugOIDCParentError            FeatureSource[bool]
+	OIDCSingleV1SessionTermination  FeatureSource[bool]
 }
 
 func (q *Queries) GetInstanceFeatures(ctx context.Context, cascade bool) (_ *InstanceFeatures, err error) {

internal/query/instance_features_model.go

@@ -69,6 +69,7 @@ func (m *InstanceFeaturesReadModel) Query() *eventstore.SearchQueryBuilder {
 			feature_v2.InstanceImprovedPerformanceEventType,
 			feature_v2.InstanceWebKeyEventType,
 			feature_v2.InstanceDebugOIDCParentErrorEventType,
+			feature_v2.InstanceOIDCSingleV1SessionTerminationEventType,
 		).
 		Builder().ResourceOwner(m.ResourceOwner)
 }
@@ -92,6 +93,7 @@ func (m *InstanceFeaturesReadModel) populateFromSystem() bool {
 	m.instance.TokenExchange = m.system.TokenExchange
 	m.instance.Actions = m.system.Actions
 	m.instance.ImprovedPerformance = m.system.ImprovedPerformance
+	m.instance.OIDCSingleV1SessionTermination = m.system.OIDCSingleV1SessionTermination
 	return true
 }
 
@@ -121,6 +123,8 @@ func reduceInstanceFeatureSet[T any](features *InstanceFeatures, event *feature_
 		features.WebKey.set(level, event.Value)
 	case feature.KeyDebugOIDCParentError:
 		features.DebugOIDCParentError.set(level, event.Value)
+	case feature.KeyOIDCSingleV1SessionTermination:
+		features.OIDCSingleV1SessionTermination.set(level, event.Value)
 	}
 	return nil
 }

internal/query/projection/instance_features.go

@@ -96,6 +96,10 @@ func (*instanceFeatureProjection) Reducers() []handler.AggregateReducer {
 				Event:  feature_v2.InstanceDebugOIDCParentErrorEventType,
 				Reduce: reduceInstanceSetFeature[bool],
 			},
+			{
+				Event:  feature_v2.InstanceOIDCSingleV1SessionTerminationEventType,
+				Reduce: reduceInstanceSetFeature[bool],
+			},
 			{
 				Event:  instance.InstanceRemovedEventType,
 				Reduce: reduceInstanceRemovedHelper(InstanceDomainInstanceIDCol),

internal/query/system_features.go

@@ -27,6 +27,7 @@ type SystemFeatures struct {
 	TokenExchange                   FeatureSource[bool]
 	Actions                         FeatureSource[bool]
 	ImprovedPerformance             FeatureSource[[]feature.ImprovedPerformanceType]
+	OIDCSingleV1SessionTermination  FeatureSource[bool]
 }
 
 func (q *Queries) GetSystemFeatures(ctx context.Context) (_ *SystemFeatures, err error) {

internal/query/system_features_model.go

@@ -57,6 +57,7 @@ func (m *SystemFeaturesReadModel) Query() *eventstore.SearchQueryBuilder {
 			feature_v2.SystemTokenExchangeEventType,
 			feature_v2.SystemActionsEventType,
 			feature_v2.SystemImprovedPerformanceEventType,
+			feature_v2.SystemOIDCSingleV1SessionTerminationEventType,
 		).
 		Builder().ResourceOwner(m.ResourceOwner)
 }
@@ -88,6 +89,8 @@ func reduceSystemFeatureSet[T any](features *SystemFeatures, event *feature_v2.S
 		features.Actions.set(level, event.Value)
 	case feature.KeyImprovedPerformance:
 		features.ImprovedPerformance.set(level, event.Value)
+	case feature.KeyOIDCSingleV1SessionTermination:
+		features.OIDCSingleV1SessionTermination.set(level, event.Value)
 	}
 	return nil
 }

internal/repository/feature/feature_v2/eventstore.go

@@ -14,6 +14,7 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, SystemTokenExchangeEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, SystemActionsEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, SystemImprovedPerformanceEventType, eventstore.GenericEventMapper[SetEvent[[]feature.ImprovedPerformanceType]])
+	eventstore.RegisterFilterEventMapper(AggregateType, InstanceOIDCSingleV1SessionTerminationEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceResetEventType, eventstore.GenericEventMapper[ResetEvent])
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceLoginDefaultOrgEventType, eventstore.GenericEventMapper[SetEvent[bool]])
@@ -25,4 +26,5 @@ func init() {
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceImprovedPerformanceEventType, eventstore.GenericEventMapper[SetEvent[[]feature.ImprovedPerformanceType]])
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceWebKeyEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 	eventstore.RegisterFilterEventMapper(AggregateType, InstanceDebugOIDCParentErrorEventType, eventstore.GenericEventMapper[SetEvent[bool]])
+	eventstore.RegisterFilterEventMapper(AggregateType, InstanceOIDCSingleV1SessionTerminationEventType, eventstore.GenericEventMapper[SetEvent[bool]])
 }

internal/repository/feature/feature_v2/feature.go

@@ -19,6 +19,7 @@ var (
 	SystemTokenExchangeEventType                   = setEventTypeFromFeature(feature.LevelSystem, feature.KeyTokenExchange)
 	SystemActionsEventType                         = setEventTypeFromFeature(feature.LevelSystem, feature.KeyActions)
 	SystemImprovedPerformanceEventType             = setEventTypeFromFeature(feature.LevelSystem, feature.KeyImprovedPerformance)
+	SystemOIDCSingleV1SessionTerminationEventType  = setEventTypeFromFeature(feature.LevelSystem, feature.KeyOIDCSingleV1SessionTermination)
 
 	InstanceResetEventType                           = resetEventTypeFromFeature(feature.LevelInstance)
 	InstanceLoginDefaultOrgEventType                 = setEventTypeFromFeature(feature.LevelInstance, feature.KeyLoginDefaultOrg)
@@ -30,6 +31,7 @@ var (
 	InstanceImprovedPerformanceEventType             = setEventTypeFromFeature(feature.LevelInstance, feature.KeyImprovedPerformance)
 	InstanceWebKeyEventType                          = setEventTypeFromFeature(feature.LevelInstance, feature.KeyWebKey)
 	InstanceDebugOIDCParentErrorEventType            = setEventTypeFromFeature(feature.LevelInstance, feature.KeyDebugOIDCParentError)
+	InstanceOIDCSingleV1SessionTerminationEventType  = setEventTypeFromFeature(feature.LevelInstance, feature.KeyOIDCSingleV1SessionTermination)
 )
 
 const (

internal/user/repository/view/active_user_ids_by_session_id.sql

@@ -0,0 +1,11 @@
+SELECT
+    s.user_agent_id,
+    s.user_id
+FROM auth.user_sessions s
+    JOIN auth.user_sessions s2
+        ON s.instance_id = s2.instance_id
+        AND s.user_agent_id = s2.user_agent_id
+WHERE
+    s2.id = $1
+    AND s.instance_id = $2
+    AND s.state = 0;

internal/user/repository/view/model/user_session.go

@@ -63,6 +63,11 @@ type UserSessionView struct {
 	ID                           sql.NullString `json:"id" gorm:"-"`
 }
 
+type ActiveUserAgentUserIDs struct {
+	UserAgentID string
+	UserIDs     []string
+}
+
 type userAgentIDPayload struct {
 	ID string `json:"userAgentID"`
 }

internal/user/repository/view/user_agent_by_user_session_id.sql

@@ -0,0 +1,7 @@
+SELECT
+    s.user_agent_id
+FROM auth.user_sessions s
+WHERE
+    s.id = $1
+    AND s.instance_id = $2
+LIMIT 1;

internal/user/repository/view/user_session_view.go

@@ -1,6 +1,7 @@
 package view
 
 import (
+	"context"
 	"database/sql"
 	_ "embed"
 	"errors"
@@ -16,8 +17,15 @@ var userSessionByIDQuery string
 //go:embed user_sessions_by_user_agent.sql
 var userSessionsByUserAgentQuery string
 
-func UserSessionByIDs(db *database.DB, agentID, userID, instanceID string) (userSession *model.UserSessionView, err error) {
-	err = db.QueryRow(
+//go:embed user_agent_by_user_session_id.sql
+var userAgentByUserSessionIDQuery string
+
+//go:embed active_user_ids_by_session_id.sql
+var activeUserIDsBySessionIDQuery string
+
+func UserSessionByIDs(ctx context.Context, db *database.DB, agentID, userID, instanceID string) (userSession *model.UserSessionView, err error) {
+	err = db.QueryRowContext(
+		ctx,
 		func(row *sql.Row) error {
 			userSession, err = scanUserSession(row)
 			return err
@@ -29,8 +37,10 @@ func UserSessionByIDs(db *database.DB, agentID, userID, instanceID string) (user
 	)
 	return userSession, err
 }
-func UserSessionsByAgentID(db *database.DB, agentID, instanceID string) (userSessions []*model.UserSessionView, err error) {
-	err = db.Query(
+
+func UserSessionsByAgentID(ctx context.Context, db *database.DB, agentID, instanceID string) (userSessions []*model.UserSessionView, err error) {
+	err = db.QueryContext(
+		ctx,
 		func(rows *sql.Rows) error {
 			userSessions, err = scanUserSessions(rows)
 			return err
@@ -42,6 +52,51 @@ func UserSessionsByAgentID(db *database.DB, agentID, instanceID string) (userSes
 	return userSessions, err
 }
 
+func UserAgentIDBySessionID(ctx context.Context, db *database.DB, sessionID, instanceID string) (userAgentID string, err error) {
+	err = db.QueryRowContext(
+		ctx,
+		func(row *sql.Row) error {
+			return row.Scan(&userAgentID)
+		},
+		userAgentByUserSessionIDQuery,
+		sessionID,
+		instanceID,
+	)
+	return userAgentID, err
+}
+
+// ActiveUserIDsBySessionID returns all userIDs with an active session on the same user agent (its id is also returned) based on a sessionID
+func ActiveUserIDsBySessionID(ctx context.Context, db *database.DB, sessionID, instanceID string) (userAgentID string, userIDs []string, err error) {
+	err = db.QueryContext(
+		ctx,
+		func(rows *sql.Rows) error {
+			userAgentID, userIDs, err = scanActiveUserAgentUserIDs(rows)
+			return err
+		},
+		activeUserIDsBySessionIDQuery,
+		sessionID,
+		instanceID,
+	)
+	return userAgentID, userIDs, err
+}
+
+func scanActiveUserAgentUserIDs(rows *sql.Rows) (userAgentID string, userIDs []string, err error) {
+	for rows.Next() {
+		var userID string
+		err := rows.Scan(
+			&userAgentID,
+			&userID)
+		if err != nil {
+			return "", nil, err
+		}
+		userIDs = append(userIDs, userID)
+	}
+	if err := rows.Close(); err != nil {
+		return "", nil, zerrors.ThrowInternal(err, "VIEW-Sbrws", "Errors.Query.CloseRows")
+	}
+	return userAgentID, userIDs, nil
+}
+
 func scanUserSession(row *sql.Row) (*model.UserSessionView, error) {
 	session := new(model.UserSessionView)
 	err := row.Scan(