https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> Is there a way to have Ory not requ...
# ory-copilot
s
@chilly-king-10285 Is there a way to have Ory not require a id_token_hint when logging out through oidc, or is it always required when passing a post_logout_redirect_uri?
b
A message from kapa.ai
Based on the knowledge sources, there are two types of logout requests in Ory's OpenID Connect implementation: 1. OP (OpenID Provider) Initiated Logout: This type MUST NOT contain 
id_token_hint
, 
state
, or 
post_logout_redirect_uri
. 2. RP (Relying Party) Initiated Logout: This is where you can use 
id_token_hint
, 
state
, and 
post_logout_redirect_uri
. When using 
post_logout_redirect_uri
, the 
id_token_hint
is not strictly required, but it is strongly recommended. According to the documentation: > "It is, therefore, recommended to always send the 
id_token_hint
parameter in the logout request to avoid such issues if possible." [OpenID Connect logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout#send-the-id-token-in-id_token_hint) The documentation also states that when redirecting after logout: > "Set the 
id_token_hint
parameter value in the logout request: When making the logout request, the OAuth 2.0 Client should include an 
id_token_hint
parameter value in the URL query. This value should be set to the ID Token that was issued by Ory OAuth2 & OpenID Connect to the user during the authentication process. If included, this parameter value can help to ensure that the logout process can be performed even if no session cookie exists any more." [Redirect after logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout#redirect-after-logout) While the documentation recommends using 
id_token_hint
, it suggests that it's not strictly required. However, without it, you might encounter issues if: - The OAuth 2.0 Client has multiple sessions for the same user - The session cookie is no longer available - The login request was not remembered There's also an open GitHub issue (#3132) that discusses problems with front/back-channel logout when "Remember Me" is off, which suggests there might be some implementation challenges when not using 
id_token_hint
. In summary, while technically you can make a logout request with 
post_logout_redirect_uri
without 
id_token_hint
, it's strongly recommended to include it to ensure proper logout functionality.
Open in Slack
PreviousNext
Powered by