steep-lamp-91158
brief-egg-61061
03/13/2025, 3:15 PMbrief-egg-61061
03/13/2025, 3:15 PMid_token_hint
, state
, or post_logout_redirect_uri
. 2. RP (Relying Party) Initiated Logout: This is where you can use id_token_hint
, state
, and post_logout_redirect_uri
. When using post_logout_redirect_uri
, the id_token_hint
is not strictly required, but it is strongly recommended. According to the documentation: > "It is, therefore, recommended to always send the id_token_hint
parameter in the logout request to avoid such issues if possible." [OpenID Connect logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout#send-the-id-token-in-id_token_hint) The documentation also states that when redirecting after logout: > "Set the id_token_hint
parameter value in the logout request: When making the logout request, the OAuth 2.0 Client should include an id_token_hint
parameter value in the URL query. This value should be set to the ID Token that was issued by Ory OAuth2 & OpenID Connect to the user during the authentication process. If included, this parameter value can help to ensure that the logout process can be performed even if no session cookie exists any more." [Redirect after logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout#redirect-after-logout) While the documentation recommends using id_token_hint
, it suggests that it's not strictly required. However, without it, you might encounter issues if: - The OAuth 2.0 Client has multiple sessions for the same user - The session cookie is no longer available - The login request was not remembered There's also an open GitHub issue (#3132) that discusses problems with front/back-channel logout when "Remember Me" is off, which suggests there might be some implementation challenges when not using id_token_hint
. In summary, while technically you can make a logout request with post_logout_redirect_uri
without id_token_hint
, it's strongly recommended to include it to ensure proper logout functionality.