hydra
hydra copied to clipboard
ory
Redirection to the post-logout callback URI sometimes beats asynchronous back-channel logout for that RP
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [ ] This issue affects my Ory Cloud project.
- [ ] I have joined the Ory Community Slack.
- [X] I am signed up to the Ory Security Patch Newsletter.
Describe your problem
My OAuth2.0 client is configured with the post-logout callback URI to be the front page of the RP, and with back-channel logout.
When a user clicks logout on this RP, it initiates the logout flows with Hydra.
Sometimes,since the back-channel logout flows became asynchronous in https://github.com/ory/hydra/pull/2849 , we have observed rare scenarios whereby Hydra redirects the user's browser back to the post-logout callback URI faster than it performed back-channel logout on that same RP.
The effect is that the user sometimes ends up back on the front page of the RP but it still looks like they are logged in. Maybe a half second later, we see the back-channel logout flow work and end the session in the backend, but the user doesn't know this. They usually click Logout a second time and they think that it worked the second time (but in fact, their session was ended already before they clicked the second time)
Describe your ideal solution
It would be ideal if somehow the back-channel logout occurred before the redirect did. But I guess that's the old behaviour when it was synchronous.
Is there a way you can make it so that the redirect only happens after the same RP that initiated the logout has had its back-channel logout flow complete? A sort of half-way between synchronous and asynchronous (the other RPs of course can have the backchannel logout occur asynchronously)
Workarounds or alternatives
An alternative is to always 'end the session early' in the RP before it initiates the OP logout flows, but after it has obtained the id_token from the session to send to the OP as part of that request.
It would then be perhaps good to mention in the documentation that it is a good idea to 'always end the session early, in the RP that is initiating the logout flows. Even though this means back-channel logout for this same RP won't really do anything (you have already ended the user's session), it ensures that if your post-logout redirect URI is to this same RP, it won't look (to the user) like they are still logged in (if your RP makes it look that way), should their browser be redirected to that URI before the asynchronous back-channel logout had a chance to complete for this RP.'
Version
1.11.8
Additional Context
No response
