Skip to main content

OAuth2 logout not working

Sometimes, calling /oauth2/sessions/logout doesn't behave as expected, for example:

  • An error occurs.
  • You are being redirected directly to the post_logout_redirect_uri instead of the logout UI.

First of all, there are two types of logout requests - one is called "OP (OpenID Provider) Initiated" and one "RP (Relying Party) Initiated". The first flow MUST NEITHER contain the id_token_hint, nor a state, nor post_logout_redirect_uri.

If no active authentication session is set at Ory OAuth2 & OpenID Connect, the browser will be redirected immediately to the system-wide configured post logout redirect URI.

An active session may be missing because:

  • You are using a Browser with a very strict privacy policy which makes it difficult or impossible for Ory to properly set cookies. We've observed that the Brave Browser may cause issues here.
  • You didn't set remember: true when accepting the login request
note

Before filing a bug report, make sure you have a cookie named oauth2_authentication_session for the URL Ory OAuth2 & OpenID Connect is running on, and for the domain that's in your http://.../oauth2/sessions/logout**

If id_token_hint is set, you may define both state and post_logout_redirect_uri. The same problems can cause this flow to behave unexpectedly as listed above, with the only difference that now Ory knows who the user to be logged out is (from the id_token_hint) and if any Front-/Back-channel Logout is configured for that client, it will be executed even if there is no valid authentication session for that user in Ory.