https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> We have setup a local webhook as `b...
# ory-copilot
h
@chilly-king-10285 We have setup a local webhook as 
backchannel_logout_uri
in our Ory client config to test, but it is not being fired when calling 
oauth2/sessions/logout
. How to call the webhook?
b
A message from kapa.ai
To ensure your webhook set as 
backchannel_logout_uri
is called when you trigger a logout with Ory, you need to follow these steps: 1. Register the 
backchannel_logout_uri
correctly: Make sure your OAuth2 client configuration includes the 
backchannel_logout_uri
field with the correct URL of your webhook. Also, consider setting 
backchannel_logout_session_required
if you want the session ID (
sid
) to be included in the logout token. 2. Trigger logout with the correct parameters: When calling the 
/oauth2/sessions/logout
endpoint, you must provide an 
id_token_hint
parameter. This is required for Ory to identify the user and trigger the back-channel logout, especially if there is no active session (e.g., if "Remember Me" was not set during login). The 
id_token_hint
should be the ID Token issued to the user during authentication. Example logout URL:
Copy code
https://<your-ory-domain>/oauth2/sessions/logout?id_token_hint=<ID_TOKEN>&post_logout_redirect_uri=<REDIRECT_URI>
3. Check for session and browser issues: If there is no active authentication session and you do not provide an 
id_token_hint
, Ory will not know which user to log out and will skip the back-channel logout, redirecting immediately to the post-logout URI. Make sure you are not running into issues with cookies or session storage, especially in privacy-focused browsers. 4. Validate your webhook endpoint: Your webhook (the 
backchannel_logout_uri
) should be able to receive a POST request with a 
logout_token
(a JWT). You should validate this token using the public key from your Ory instance. Common pitfalls: - Not providing 
id_token_hint
in the logout request. - Misconfigured or missing 
backchannel_logout_uri
in the client settings. - No active session and no 
id_token_hint
provided, so Ory cannot identify the user to log out. References: - The back-channel logout flow and requirements are described in the Ory documentation, including the need for 
id_token_hint
and how the 
logout_token
is sent to your webhook endpoint [OpenID Connect logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout). - Troubleshooting tips for why the logout might not trigger the webhook are also available [OAuth2 logout not working](https://www.ory.sh/docs/hydra/debug/logout). If you have followed these steps and your webhook is still not being called, double-check your client configuration and the parameters in your logout request. If the problem persists, ensure your webhook endpoint is accessible from the Ory server and is not blocked by firewalls or network issues.
h
So both 
id_token_hint
& 
post_logout_redirect_uri
are required for this to work in any app?
@chilly-king-10285 So both 
id_token_hint
& 
post_logout_redirect_uri
are required for this to work in any app?
b
A message from kapa.ai
No, both 
id_token_hint
and 
post_logout_redirect_uri
are not strictly required for the back-channel logout to work, but including 
id_token_hint
is highly recommended and often necessary for the back-channel logout webhook (
backchannel_logout_uri
) to be triggered. - 
id_token_hint
: This parameter is used to identify the user's session to be logged out. If you do not provide it and there is no active authentication session, Ory will not know which user to log out, and the back-channel logout will not be triggered. Therefore, to ensure the webhook is called, you should always include 
id_token_hint
in your logout request. This is especially important if the session cookie is missing or "Remember Me" was not set during login. Without it, the logout request may simply redirect to the post-logout URI without firing the webhook [Send the ID token in 'id_token_hint'](https://www.ory.sh/docs/oauth2-oidc/oidc-logout#send-the-id-token-in-id_token_hint) [OAuth2 logout not working](https://www.ory.sh/docs/hydra/debug/logout). - 
post_logout_redirect_uri
: This parameter is optional. It is used to redirect the user's browser after logout is complete. If you want the user to be redirected to a specific page after logout, you should include it and ensure it is whitelisted in your client configuration. However, it is not required for the back-channel logout webhook to be triggered [Redirect after logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout#redirect-after-logout). Summary: - 
id_token_hint
is recommended and often required for the webhook to be called. - 
post_logout_redirect_uri
is optional and only needed if you want to redirect the user after logout.
h
@chilly-king-10285 Do we also need to update the hydra.yml and/or kratos.yml file?
b
A message from kapa.ai
Based on the provided knowledge sources, there is no explicit information stating that you must update the 
hydra.yml
or 
kratos.yml
configuration files to enable or configure back-channel logout or the use of 
backchannel_logout_uri
. The documentation focuses on registering the appropriate fields (such as 
backchannel_logout_uri
and 
backchannel_logout_session_required
) in the OAuth2 client configuration, either via CLI or API, and on how to trigger the logout flow using the correct parameters in your requests [OpenID Connect logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout). If you have already set the 
backchannel_logout_uri
in your client configuration, no additional changes to 
hydra.yml
or 
kratos.yml
are mentioned as necessary in the knowledge sources. If you require custom behavior or advanced configuration, you may need to consult the full documentation for those files, but this is not covered in the sources provided. In summary: You do not need to update 
hydra.yml
or 
kratos.yml
for standard back-channel logout functionality, according to the available documentation.
h
@chilly-king-10285 We now have the webhook call, and got the proper 
logout_token
. What are the next steps to log out ALL KRATOS sessions?
b
A message from kapa.ai
To log out (revoke and delete) all Ory Kratos sessions for a user after receiving a valid 
logout_token
from the back-channel logout webhook, you need to use the administrative API endpoint to delete all sessions for the user's identity. This operation forcefully logs the user out of all their sessions and deletes all session data. Steps: 1. Extract the user identity: From the 
logout_token
(which is a JWT), extract the 
sub
claim. This claim contains the user's identity ID. 2. Call the administrative API to delete sessions: Use the Ory Kratos administrative endpoint to delete all sessions for the given identity ID. Example in Go:
Copy code
go    import (        "context"        "<http://github.com/ory/client-go|github.com/ory/client-go>"    )     func DisableAndDeleteSessions(ctx context.Context, identityId string) (err error) {        _, err = ory.IdentityApi.DeleteIdentitySessions(ContextWithToken(ctx), identityId).            Execute()        return err    }
Example in TypeScript:
Copy code
typescript    import { Configuration, IdentityApi } from "@ory/client"     const identity = new IdentityApi(      new Configuration({        basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,        accessToken: `${process.env.ORY_ACCESS_TOKEN}`,      }),    )     export async function disableAndDeleteSessions(identityId: string) {      return await identity.deleteIdentitySessions({        id: identityId,      })    }
[Revoke and delete sessions of a user](https://www.ory.sh/docs/kratos/session-management/list-revoke-get-sessions#revoke-and-delete-sessions-of-a-user) Summary: - Parse the 
logout_token
to get the user's identity ID (
sub
claim). - Use the Kratos admin API to delete all sessions for that identity. This will ensure all sessions for the user are revoked and deleted across all devices.
h
@chilly-king-10285 How do I extract the 
sub
claim in TypeScript?
b
A message from kapa.ai
I'm sorry, but the provided knowledge sources do not contain explicit instructions or code examples for extracting the 
sub
claim from a JWT in TypeScript. They describe the structure of the JWT and mention that the 
sub
claim is present, but do not show how to decode or parse the token in TypeScript [OpenID Connect overview](https://www.ory.sh/docs/oauth2-oidc/overview/oidc-concepts#the-id-token). If you need to extract the 
sub
claim, you would typically decode the JWT using a library, but this specific step is not covered in the knowledge sources.
h
@chilly-king-10285 The 
sub
is missing from the JWT token, it's just iss, aud, events, iat, jti & sid. What do you mean exactly with the 
sub
?
b
A message from kapa.ai
Thank you for your clarification. According to the Ory documentation, the example 
logout_token
for OpenID Connect Back-Channel Logout contains the following claims: 
iss
, 
aud
, 
iat
, 
jti
, 
sid
, and 
events
. The 
sub
(subject) claim is not included in the example or mentioned as a required claim for the logout token:
Copy code
json {     "iss": "<https://server.example.com>",     "aud": "s6BhdRkqt3",     "iat": 1471566154,     "jti": "bWJq",     "sid": "08a5019c-17e1-4977-8f42-65a12843ea02",     "events": {       "<http://schemas.openid.net/event/backchannel-logout>": {}     }   }
The documentation does not state that the 
sub
claim will be present in the 
logout_token
. Instead, the 
sid
(session ID) is included, which is used to associate the logout event with a particular session. Therefore, if you need to identify the user, you may need to map the 
sid
to the user identity using your own session management or database, as the 
sub
claim is not available in the logout token provided by Ory [OpenID Connect logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout). In summary: The 
sub
claim is not present in the Ory 
logout_token
for back-channel logout. You should use the 
sid
claim to identify the session, and if you need the user identity, you must map the session ID (
sid
) to the user in your own system.
h
@chilly-king-10285 Is there a way to get the 
sub
into the 
logout_token
?
b
A message from kapa.ai
Based on the provided knowledge sources, there is no explicit documentation or configuration option described that allows you to include the 
sub
(subject) claim in the 
logout_token
for OpenID Connect Back-Channel Logout in Ory. The example 
logout_token
in the Ory documentation only contains the claims 
iss
, 
aud
, 
iat
, 
jti
, 
sid
, and 
events
, and there is no mention of a way to add the 
sub
claim to this token [OpenID Connect logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout). Therefore, according to the available documentation, it is not possible to configure Ory to include the 
sub
claim in the 
logout_token
. If you need to associate the logout event with a user, you will need to map the 
sid
(session ID) to the user in your own system.
Open in Slack
PreviousNext
Powered by