<@U04UQ68083H> Is there a way to have Ory not requ...
# ory-copilot
s
@chilly-king-10285 Is there a way to have Ory not require a id_token_hint when logging out through oidc, or is it always required when passing a post_logout_redirect_uri?
b
A message from kapa.ai
Based on the knowledge sources, there are two types of logout requests in Ory's OpenID Connect implementation: 1. OP (OpenID Provider) Initiated Logout: This type MUST NOT contain
id_token_hint
,
state
, or
post_logout_redirect_uri
. 2. RP (Relying Party) Initiated Logout: This is where you can use
id_token_hint
,
state
, and
post_logout_redirect_uri
. When using
post_logout_redirect_uri
, the
id_token_hint
is not strictly required, but it is strongly recommended. According to the documentation: > "It is, therefore, recommended to always send the
id_token_hint
parameter in the logout request to avoid such issues if possible." [OpenID Connect logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout#send-the-id-token-in-id_token_hint) The documentation also states that when redirecting after logout: > "Set the
id_token_hint
parameter value in the logout request: When making the logout request, the OAuth 2.0 Client should include an
id_token_hint
parameter value in the URL query. This value should be set to the ID Token that was issued by Ory OAuth2 & OpenID Connect to the user during the authentication process. If included, this parameter value can help to ensure that the logout process can be performed even if no session cookie exists any more." [Redirect after logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout#redirect-after-logout) While the documentation recommends using
id_token_hint
, it suggests that it's not strictly required. However, without it, you might encounter issues if: - The OAuth 2.0 Client has multiple sessions for the same user - The session cookie is no longer available - The login request was not remembered There's also an open GitHub issue (#3132) that discusses problems with front/back-channel logout when "Remember Me" is off, which suggests there might be some implementation challenges when not using
id_token_hint
. In summary, while technically you can make a logout request with
post_logout_redirect_uri
without
id_token_hint
, it's strongly recommended to include it to ensure proper logout functionality.