Yes, this behavior is intentional. In OAuth2 and OpenID Connect implementations like Ory, revoking permissions between an OIDC provider and an application doesn't automatically invalidate the user's session. This is because OAuth2 and OpenID Connect have multiple session layers that operate independently: 1. Application Session Layer: The session in your application 2. Auth0/Ory Session Layer: The session at the authorization server 3. Identity Provider Session Layer: The session at the identity provider As explained in the Ory documentation, these layers are separate and need to be managed independently. When you revoke permissions (typically by revoking consent), this doesn't automatically terminate the user's session in your application or at the identity provider. [Ory's blog post on OAuth2](https://www.ory.sh/blog/oauth2-openid-connect-do-you-need-use-cases-examples) explains this challenge: > "I have implemented OAuth2 but how do I globally sign out my users?". There is a specification for that! But it could be so much easier. The blog post further explains that with OAuth2, if a user signs in to an application via an identity provider and then logs out of the identity provider, they will still be signed in to the application. The same applies in reverse - revoking permissions doesn't affect the session status. If you want to completely log out a user, you would need to: 1. Revoke the permissions/consent 2. Terminate the application session 3. Optionally terminate the session at the identity provider You can use Ory's session management APIs to programmatically revoke sessions as needed: - [Revoking a specific session](https://www.ory.sh/docs/kratos/session-management/list-revoke-get-sessions#revoking-a-specific-session) - [Revoking all other sessions](https://www.ory.sh/docs/kratos/session-management/list-revoke-get-sessions#revoking-all-other-sessions) For OIDC logout specifically, you can use the endpoint described in the [Hydra API Reference](https://www.ory.sh/docs/hydra/reference/api).