Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

*Issue with logout when using id token hint in ory Hydra (2.x)*
We have a web based application on which multiple links perform oauth2 login with hydra and use cookie to avoid login screen again (single sign on).
During every login from each link, single session cookie is getting updated.
We enforce logout on main web based application and not on all links (that perform oauth2 login)

Eventually, when we perform logout from any client (we pass id token hint and post logout url), we want that cookie to be cleared and perform redirect to the main application (on which logout was called)

Expected Behavior
Remove session cookie and redirect to the client.

Actual Behavior
When using logout, it does not remove the cookie as that was replaced by the other client.

If we dont use id token hint, it removes the cookie correctly, but then it cannot redirect back to the client as post logout url cannot be passed in the logout flow without id token hint
If we use id token hint, it does not clear cookie in all scenario, but redirect to the client as per post logout url works correctly.

Has anyone faced this issue? Any workaround with this?

Appreciate your help!

Regards,
Sagar Shah