/oauth2/sessions/logout does not behave as expected, for
- An error occurs.
- You are being redirected directly to the post_logout_redirect_uri instead of the logout UI.
First of all, there are two types of logout requests - one is called "OP (OpenID
Provider) Initiated" and one "RP (Relying Party) Initiated". The first flow MUST
NEITHER contain the
id_token_hint, nor a
If no active authentication session is set at ORY Hydra, the browser will be redirected immediately to the system-wide configured post logout redirect URI.
An active session may be missing because:
- You are mixing up domain names (e.g. 127.0.0.1 and localhost - this is a common mistake)
- You are running ORY Hydra behind a proxy that messes with Cookies
- You did not set
remember: truewhen accepting the login request
Before filing a bug report, make sure you actually have a cookie named
oauth2_authentication_session for the URL ORY Hydra is running on, and
especially for the domain that's in your
id_token_hint is set, you may define both
post_logout_redirect_uri. The same problems can cause this flow to behave
unexpectedly as listed above, with the only difference that now ORY Hydra knows
who the user to be logged out is (from the
id_token_hint) and if any
Front-/Back-channel Logout is configured for that client, it will be executed
even if there is no valid authentication session for that user in ORY Hydra.