https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> We have setup a local webhook as `b...
# ory-copilot
h
@chilly-king-10285 We have setup a local webhook as 
backchannel_logout_uri
in our Ory client config to test, but it is not being fired when calling 
oauth2/sessions/logout
. How to call the webhook?
b
A message from kapa.ai
To ensure your webhook set as 
backchannel_logout_uri
is called when you trigger a logout with Ory, you need to follow these steps: 1. Register the 
backchannel_logout_uri
correctly: Make sure your OAuth2 client configuration includes the 
backchannel_logout_uri
field with the correct URL of your webhook. Also, consider setting 
backchannel_logout_session_required
if you want the session ID (
sid
) to be included in the logout token. 2. Trigger logout with the correct parameters: When calling the 
/oauth2/sessions/logout
endpoint, you must provide an 
id_token_hint
parameter. This is required for Ory to identify the user and trigger the back-channel logout, especially if there is no active session (e.g., if "Remember Me" was not set during login). The 
id_token_hint
should be the ID Token issued to the user during authentication. Example logout URL:
Copy code
https://<your-ory-domain>/oauth2/sessions/logout?id_token_hint=<ID_TOKEN>&post_logout_redirect_uri=<REDIRECT_URI>
3. Check for session and browser issues: If there is no active authentication session and you do not provide an 
id_token_hint
, Ory will not know which user to log out and will skip the back-channel logout, redirecting immediately to the post-logout URI. Make sure you are not running into issues with cookies or session storage, especially in privacy-focused browsers. 4. Validate your webhook endpoint: Your webhook (the 
backchannel_logout_uri
) should be able to receive a POST request with a 
logout_token
(a JWT). You should validate this token using the public key from your Ory instance. Common pitfalls: - Not providing 
id_token_hint
in the logout request. - Misconfigured or missing 
backchannel_logout_uri
in the client settings. - No active session and no 
id_token_hint
provided, so Ory cannot identify the user to log out. References: - The back-channel logout flow and requirements are described in the Ory documentation, including the need for 
id_token_hint
and how the 
logout_token
is sent to your webhook endpoint [OpenID Connect logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout). - Troubleshooting tips for why the logout might not trigger the webhook are also available [OAuth2 logout not working](https://www.ory.sh/docs/hydra/debug/logout). If you have followed these steps and your webhook is still not being called, double-check your client configuration and the parameters in your logout request. If the problem persists, ensure your webhook endpoint is accessible from the Ory server and is not blocked by firewalls or network issues.
h
So both 
id_token_hint
& 
post_logout_redirect_uri
are required for this to work in any app?
@chilly-king-10285 So both 
id_token_hint
& 
post_logout_redirect_uri
are required for this to work in any app?
b
A message from kapa.ai
No, both 
id_token_hint
and 
post_logout_redirect_uri
are not strictly required for the back-channel logout to work, but including 
id_token_hint
is highly recommended and often necessary for the back-channel logout webhook (
backchannel_logout_uri
) to be triggered. - 
id_token_hint
: This parameter is used to identify the user's session to be logged out. If you do not provide it and there is no active authentication session, Ory will not know which user to log out, and the back-channel logout will not be triggered. Therefore, to ensure the webhook is called, you should always include 
id_token_hint
in your logout request. This is especially important if the session cookie is missing or "Remember Me" was not set during login. Without it, the logout request may simply redirect to the post-logout URI without firing the webhook [Send the ID token in 'id_token_hint'](https://www.ory.sh/docs/oauth2-oidc/oidc-logout#send-the-id-token-in-id_token_hint) [OAuth2 logout not working](https://www.ory.sh/docs/hydra/debug/logout). - 
post_logout_redirect_uri
: This parameter is optional. It is used to redirect the user's browser after logout is complete. If you want the user to be redirected to a specific page after logout, you should include it and ensure it is whitelisted in your client configuration. However, it is not required for the back-channel logout webhook to be triggered [Redirect after logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout#redirect-after-logout). Summary: - 
id_token_hint
is recommended and often required for the webhook to be called. - 
post_logout_redirect_uri
is optional and only needed if you want to redirect the user after logout.
h
@chilly-king-10285 Do we also need to update the hydra.yml and/or kratos.yml file?
b
A message from kapa.ai
Based on the provided knowledge sources, there is no explicit information stating that you must update the 
hydra.yml
or 
kratos.yml
configuration files to enable or configure back-channel logout or the use of 
backchannel_logout_uri
. The documentation focuses on registering the appropriate fields (such as 
backchannel_logout_uri
and 
backchannel_logout_session_required
) in the OAuth2 client configuration, either via CLI or API, and on how to trigger the logout flow using the correct parameters in your requests [OpenID Connect logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout). If you have already set the 
backchannel_logout_uri
in your client configuration, no additional changes to 
hydra.yml
or 
kratos.yml
are mentioned as necessary in the knowledge sources. If you require custom behavior or advanced configuration, you may need to consult the full documentation for those files, but this is not covered in the sources provided. In summary: You do not need to update 
hydra.yml
or 
kratos.yml
for standard back-channel logout functionality, according to the available documentation.
h
@chilly-king-10285 We now have the webhook call, and got the proper 
logout_token
. What are the next steps to log out ALL KRATOS sessions?
b
A message from kapa.ai
To log out (revoke and delete) all Ory Kratos sessions for a user after receiving a valid 
logout_token
from the back-channel logout webhook, you need to use the administrative API endpoint to delete all sessions for the user's identity. This operation forcefully logs the user out of all their sessions and deletes all session data. Steps: 1. Extract the user identity: From the 
logout_token
(which is a JWT), extract the 
sub
claim. This claim contains the user's identity ID. 2. Call the administrative API to delete sessions: Use the Ory Kratos administrative endpoint to delete all sessions for the given identity ID. Example in Go:
Copy code
go    import (        "context"        "<http://github.com/ory/client-go|github.com/ory/client-go>"    )     func DisableAndDeleteSessions(ctx context.Context, identityId string) (err error) {        _, err = ory.IdentityApi.DeleteIdentitySessions(ContextWithToken(ctx), identityId).            Execute()        return err    }
Example in TypeScript:
Copy code
typescript    import { Configuration, IdentityApi } from "@ory/client"     const identity = new IdentityApi(      new Configuration({        basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,        accessToken: `${process.env.ORY_ACCESS_TOKEN}`,      }),    )     export async function disableAndDeleteSessions(identityId: string) {      return await identity.deleteIdentitySessions({        id: identityId,      })    }
[Revoke and delete sessions of a user](https://www.ory.sh/docs/kratos/session-management/list-revoke-get-sessions#revoke-and-delete-sessions-of-a-user) Summary: - Parse the 
logout_token
to get the user's identity ID (
sub
claim). - Use the Kratos admin API to delete all sessions for that identity. This will ensure all sessions for the user are revoked and deleted across all devices.
h
@chilly-king-10285 How do I extract the 
sub
claim in TypeScript?
b
A message from kapa.ai
I'm sorry, but the provided knowledge sources do not contain explicit instructions or code examples for extracting the 
sub
claim from a JWT in TypeScript. They describe the structure of the JWT and mention that the 
sub
claim is present, but do not show how to decode or parse the token in TypeScript [OpenID Connect overview](https://www.ory.sh/docs/oauth2-oidc/overview/oidc-concepts#the-id-token). If you need to extract the 
sub
claim, you would typically decode the JWT using a library, but this specific step is not covered in the knowledge sources.
h
@chilly-king-10285 The 
sub
is missing from the JWT token, it's just iss, aud, events, iat, jti & sid. What do you mean exactly with the 
sub
?
b
A message from kapa.ai
Thank you for your clarification. According to the Ory documentation, the example 
logout_token
for OpenID Connect Back-Channel Logout contains the following claims: 
iss
, 
aud
, 
iat
, 
jti
, 
sid
, and 
events
. The 
sub
(subject) claim is not included in the example or mentioned as a required claim for the logout token:
Copy code
json {     "iss": "<https://server.example.com>",     "aud": "s6BhdRkqt3",     "iat": 1471566154,     "jti": "bWJq",     "sid": "08a5019c-17e1-4977-8f42-65a12843ea02",     "events": {       "<http://schemas.openid.net/event/backchannel-logout>": {}     }   }
The documentation does not state that the 
sub
claim will be present in the 
logout_token
. Instead, the 
sid
(session ID) is included, which is used to associate the logout event with a particular session. Therefore, if you need to identify the user, you may need to map the 
sid
to the user identity using your own session management or database, as the 
sub
claim is not available in the logout token provided by Ory [OpenID Connect logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout). In summary: The 
sub
claim is not present in the Ory 
logout_token
for back-channel logout. You should use the 
sid
claim to identify the session, and if you need the user identity, you must map the session ID (
sid
) to the user in your own system.
h
@chilly-king-10285 Is there a way to get the 
sub
into the 
logout_token
?
b
A message from kapa.ai
Based on the provided knowledge sources, there is no explicit documentation or configuration option described that allows you to include the 
sub
(subject) claim in the 
logout_token
for OpenID Connect Back-Channel Logout in Ory. The example 
logout_token
in the Ory documentation only contains the claims 
iss
, 
aud
, 
iat
, 
jti
, 
sid
, and 
events
, and there is no mention of a way to add the 
sub
claim to this token [OpenID Connect logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout). Therefore, according to the available documentation, it is not possible to configure Ory to include the 
sub
claim in the 
logout_token
. If you need to associate the logout event with a user, you will need to map the 
sid
(session ID) to the user in your own system.
h
@chilly-king-10285 I have some other question. 
id_token
is not getting returned when calling 
oauth2/auth
with extra params. How do I make sure this is always present, so I can use it for 
id_token_hint
?
b
A message from kapa.ai
To ensure that an 
id_token
is always returned when calling 
/oauth2/auth
, you must: 1. Include the 
openid
scope in your authorization request. The 
id_token
is only issued as part of the OpenID Connect flow, which requires the 
openid
scope. For example:
Copy code
/oauth2/auth?response_type=code&scope=openid
If you omit the 
openid
scope, you will not receive an 
id_token
 [OpenID Connect ID Token missing](https://www.ory.sh/docs/hydra/debug). 2. Make sure your OAuth2 client is allowed to request the 
openid
scope and that your consent app grants it when accepting the consent request. If the client is not permitted to request 
openid
, or if the consent app does not grant it, the 
id_token
will not be issued [OpenID Connect ID Token missing](https://www.ory.sh/docs/hydra/debug). 3. For Implicit or Hybrid flows, ensure you use the correct 
response_type
(such as 
id_token
or 
token id_token
) and include a 
nonce
parameter. For the Authorization Code flow, 
nonce
is optional, but for Implicit/Hybrid flows, it is required [OpenID Connect ID Token missing](https://www.ory.sh/docs/hydra/debug). Summary: - Always include 
scope=openid
in your request. - Ensure your client and consent app allow and grant the 
openid
scope. - Use the correct 
response_type
and include 
nonce
if required. If you follow these steps, the 
id_token
will be present in the response and can be used for 
id_token_hint
in logout requests.
h
@chilly-king-10285 I got it working. However, when using 
post_logout_redirect_uri
, it appears that this url is not getting used properly. When I logout, I get redirect to a different URL (that is likely set in a config). How do I make sure 
post_logout_redirect_uri
is actually getting used?
b
A message from kapa.ai
To ensure that the 
post_logout_redirect_uri
is used after logout, you must: 1. Whitelist the URI in your OAuth2 client configuration: The 
post_logout_redirect_uri
will only be honored if it matches one of the URIs listed in the client's 
post_logout_redirect_uris
field. If the URI is not whitelisted, Ory will fall back to the default post-logout redirect URL set in your configuration. Make sure your desired redirect URI is included in the 
post_logout_redirect_uris
list for your client [Redirect after logout](https://www.ory.sh/docs/oauth2-oidc/oidc-logout#redirect-after-logout). 2. Set the parameter in your logout request: When making the logout request, include the 
post_logout_redirect_uri
parameter in the URL query and set its value to the desired redirect URL. 3. Check for configuration overrides: If you update your client configuration via the Ory Console, be aware that some parameters (like 
post_logout_redirect_uris
) may not be editable in the UI and could be overridden or cleared if not managed via the CLI or API. Always verify your client configuration after making changes [OAuth client configuration overrides](https://github.com/ory/network/issues/370). Summary: - Add your desired redirect URI to the 
post_logout_redirect_uris
list in your OAuth2 client config. - Use that exact URI as the value for 
post_logout_redirect_uri
in your logout request. - If the redirect still does not work, double-check your client configuration for the correct list of allowed URIs. If these steps are followed and the redirect still does not work, the knowledge sources do not provide further troubleshooting steps.
5 Views
Open in Slack
PreviousNext
Powered by