Delete individual consent sessions via API

[alnr]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

Currently, we can revoke all consent sessions (and their associated token chains) for a particular client, or all consent sessions for a particular client/subject pair. See https://www.ory.sh/docs/reference/api#tag/oAuth2/operation/revokeOAuth2ConsentSessions

We cannot, however, revoke an individual consent session through this API.

Describe your ideal solution

1. Clean up the API reponses from GET /admin/oauth2/auth/sessions/consent

This is confusing, since we call the challenge the ID of the consent session.

In GET /admin/oauth2/auth/requests/consent, however, the challenge parameter in the response will be the long AEAD string, which is not the same as the challenge ID.
This needs to be disambiguated. See also this line of code.

2. Add a consent_session_id or consent_challenge_id or consent_id query parameter (nomenclature to be decided in step 1) to DELETE /admin/oauth2/auth/sessions/consent which deletes only this one consent session (~= row in hydra_oauth2_flow) and the associated token chain.
   This ID must already be fixed before the flow is persisted and be returned from GET /admin/oauth2/auth/requests/consent so the consent UI can insert it into access+refresh tokens.

Workarounds or alternatives

Not sure.

Version

2.1+

Additional Context

Medium prio