hydra
hydra copied to clipboard
ory
Cannot force front/back-channel logout with id_token_hint when "Remember Me" is off
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [ ] This issue affects my Ory Cloud project.
- [ ] I have joined the Ory Community Slack.
- [X] I am signed up to the Ory Security Patch Newsletter.
Describe the bug
Hi,
The page https://www.ory.sh/docs/hydra/debug/logout and diagram at https://www.ory.sh/docs/hydra/concepts/logout says that if "Remember Me" is not true, one can still trigger front/back-channel logout by passing id_token_hint in the logout request.
If id_token_hint is set, you may define both state and post_logout_redirect_uri. The same problems can cause this flow to behave unexpectedly as listed above, with the only difference that now Ory Hydra knows who the user to be logged out is (from the id_token_hint) and if any Front-/Back-channel Logout is configured for that client, it will be executed even if there is no valid authentication session for that user in Ory Hydra
This does not seem to be true.
I logged in to an RP without 'Remember Me' set, and saved the id_token somewhere in the RP (as an attribute of the RP's session).
I then issued a logout in my RP, which sent to the OP with the id_token_hint containing that ID token, as https://op-example.com/oauth2/sessions/logout?id_token_hint=xxxxxxxxxxxxxxxxxxxxx&post_logout_redirect_uri=https%3A%2F%2Fmy-example-rp.com
I expected to see Hydra go to the Login&Consent app's /logout endpoint with the logout_challenge and perform front/back-channel logout, but instead it went straight to the post_logout_redirect_uri.
I also tried ensuring I added the state parameter in the logout request, but that didn't help either. Hydra just does an immediate 302 from method:GET path:/oauth2/sessions/logout query:id_token_hint=xxxxxxxxxxxxxx...etc to the URL defined in the post_logout_redirect_uri.
Reproducing the bug
- Log into an RP app but don't set remember_me in the login request.
- Ensure your RP captures the id_token somehow
- Log out of the RP, ensuring that its 'logout' route that invokes the logout request at OP, sends the id token as the id_token_hint param, and your post logout redirect URI param
- Expect to see in your browser that Hydra hits the 'Logout' endpoint to do front/back channel logout, despite the lack of an OP session, because id_token_hint was sent in the request
- Find that it didn't, and just went to the post logout redirect URI
Relevant log output
No response
Relevant configuration
No response
Version
v1.11.7
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker
Additional Context
No response
To be clear - if I do set 'Remember me' when logging in, then indeed because the Hydra OP session exists, front/back channel takes place on logout.
But the docs explicitly state that even if there is no 'Remember me', the presence of id_token_hint is enough to still invoke front/channel logout. This does not seem to be the case.
have you found the solution ? i am also in this situation, where the backchannel not invoked
Sorry, I haven't tried again since - my organization made a separate decision, they wanted to 'force' Remember Me to always be 'on', so we just avoided the problem.
