Hi, We are on the Ory Production plan (#5c934475-9e84-48bb-acc4-6a9813b0215a), and OAuth logouts are not working for our users. Behaviour: • Calling oauth2/sessions/logout with no GET parameters returns a successful response and the user is logged out of their session • Calling oauth2/sessions/logout with id_token_hint + post_logout_redirect_uri returns a success response but the user is no logged out of their session We need to use the post_logout_redirect, and currently are unable to successfully logout any of our users. Our issue sounds similar to one reported previously: https://ory-community.slack.com/archives/C02MR4DEEGH/p1723208569583569 Is there a known issue with the logout functionality?

Hey @kind-cricket-67361 I'll ask the team to take a look. In the meantime can you check it is not one of these common issues: 1. Active Authentication Session: If no active authentication session is set at Ory OAuth2 & OpenID Connect, the browser will be redirected immediately to the system-wide configured post logout redirect URI. An active session may be missing because: ◦ You are using a Browser with a very strict privacy policy which makes it difficult or impossible for Ory to properly set cookies. For example, the Brave Browser may cause issues here. ◦ You didn't set

remember: true

when accepting the login request. ◦ Make sure you have a cookie named

oauth2_authentication_session

for the URL Ory OAuth2 & OpenID Connect is running on, and for the domain that's in your

http://.../oauth2/sessions/logout

Source 2. Logout Requests: There are two types of logout requests - one is called "OP (OpenID Provider) Initiated" and one "RP (Relying Party) Initiated". The first flow MUST NEITHER contain the

id_token_hint

, nor a

state

, nor

post_logout_redirect_uri

. If

id_token_hint

is set, you may define both

state

and

post_logout_redirect_uri

. Source 3. Redirect after logout: The

post_logout_redirect_uri

parameter in the OpenID Connect front and back-channel logout flow is used to redirect the user's browser to a specified URL after the logout process is complete. To make the

post_logout_redirect_uri

parameter work, the OAuth 2.0 Client should follow these steps: ◦ Allow the `post_logout_redirect_uri`: Each OAuth 2.0 Client can whitelist a list of URIs that can be used as the

post_logout_redirect_uri

parameter value using the

post_logout_redirect_uris

field. ◦ Set the

post_logout_redirect_uri

parameter value in the logout request: When making the logout request to Ory OAuth2 & OpenID Connect, the OAuth 2.0 Client should include the

post_logout_redirect_uri

parameter value in the URL query. ◦ Set the

state

parameter value in the logout request: When making the logout request, the OAuth 2.0 Client should include a

state

parameter value in the URL query. ◦ Set the

id_token_hint

parameter value in the logout request: When making the logout request, the OAuth 2.0 Client should include an

id_token_hint

parameter value in the URL query. Source

Hi @magnificent-energy-493 , Thanks for listing the common issues, we’ve gone through them all to try and figure this out. Regarding point 1.1, does the default Ory Account Experience have a way to control the

remember: true

setting? In the video with the issue there is no code of ours involved, we just run

ory perform authorization-code

against a project with the default Ory Account Experience. Regarding point 1.2, Is the default Ory Account Experience supposed to set the

oauth2_authentication_session

cookie? We have not seen this cookie being set, we see 4 CSRF related cookies, and an

ory_session_<project-slug>

cookie. During which HTTP call should the

oauth2_authentication_session

cookie be set? The rest of the common issues do not seem to play a role in our case from what I can tell (Firefox, RP Initiated logout, post logout redirect works). To reiterate, our issue is that the user seemingly logs out correctly, but then is still able to change their password, we’ve taken all our code out of the equation and are seeing this behaviour with the default Ory Account Experience and the Ory Exemplary OAuth2 client. The cause could be hiding in our project configuration (which I tried to keep as default as possible) or how we are constructing the OAuth2 logout URL perhaps, but I can’t find it.