I am trying to get running OAuth 2.0 authentication with hydra running locally, as well as all related appa on localhost and https protocol. Login and Consent flow are working fine. But I have serios problem to get running Logout flow. I have got info that with high probability it is due to wrong configuration. Can anybody advise me with proper configuration? I use hydra and postgre sql running in on Windows with Docker desktop with WSL2, based on hydra example. Here you are error log with full stack info: { "audience":"application", "error":{ "debug":"", "message":"invalid_request", "reason":"square/go-jose: compact JWS format must have three parts", "stack_trace":"\u000agithub.com/ory/x/errorsx.WithStack\u000a\u0009/go/pkg/mod/github.com/ory/x@v0.0.344/errorsx/errors.go:38\u000agithub.com/ory/hydra/consent.(*DefaultStrategy).getIDTokenHintClaims\u000a\u0009/project/consent/strategy_default.go:192\u000agithub.com/ory/hydra/consent.(*DefaultStrategy).issueLogoutVerifier\u000a\u0009/project/consent/strategy_default.go:803\u000agithub.com/ory/hydra/consent.(*DefaultStrategy).HandleOpenIDConnectLogout\u000a\u0009/project/consent/strategy_default.go:996\u000agithub.com/ory/hydra/oauth2.(*Handler).LogoutHandler\u000a\u0009/project/oauth2/handler.go:129\u000agithub.com/julienschmidt/httprouter.(*Router).ServeHTTP\u000a\u0009/go/pkg/mod/github.com/julienschmidt/httprouter@v1.3.0/router.go:387\u000agithub.com/urfave/negroni.Wrap.func1\u000a\u0009/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46\u000agithub.com/urfave/negroni.HandlerFunc.ServeHTTP\u000a\u0009/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\u000agithub.com/urfave/negroni.middleware.ServeHTTP\u000a\u0009/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go38\u000anet/http.HandlerFunc.ServeHTTP\u000a\u0009/usr/local/go/src/net/http/server.go2047\u000agithub.com/ory/hydra/x.RejectInsecureRequests.func1\u000a\u0009/project/x/tls_termination.go:62\u000agithub.com/urfave/negroni.HandlerFunc.ServeHTTP\u000a\u0009/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\u000agithub.com/urfave/negroni.middleware.ServeHTTP\u000a\u0009/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\u000agithub.com/ory/x/metricsx.(*Service).ServeHTTP\u000a\u0009/go/pkg/mod/github.com/ory/x@v0.0.344/metricsx/middleware.go:275\u000agithub.com/urfave/negroni.middleware.ServeHTTP\u000a\u0009/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go38\u000anet/http.HandlerFunc.ServeHTTP\u000a\u0009/usr/local/go/src/net/http/server.go2047\u000agithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1\u000a\u0009/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go198\u000anet/http.HandlerFunc.ServeHTTP\u000a\u0009/usr/local/go/src/net/http/server.go2047\u000agithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1\u000a\u0009/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go101\u000anet/http.HandlerFunc.ServeHTTP\u000a\u0009/usr/local/go/src/net/http/server.go2047\u000agithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1\u000a\u0009/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go68\u000anet/http.HandlerFunc.ServeHTTP\u000a\u0009/usr/local/go/src/net/http/server.go2047\u000agithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2\u000a\u0009/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go76\u000anet/http.HandlerFunc.ServeHTTP\u000a\u0009/usr/local/go/src/net/http/server.go2047\u000agithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1\u000a\u0009/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go165\u000anet/http.HandlerFunc.ServeHTTP\u000a\u0009/usr/local/go/src/net/http/server.go2047\u000agithub.com/ory/x/prometheusx.Metrics.instrumentHandlerStatusBucket.func1\u000a\u0009/go/pkg/mod/github.com/ory/x@v0.0.344/prometheusx/metrics.go108\u000anet/http.HandlerFunc.ServeHTTP\u000a\u0009/usr/local/go/src/net/http/server.go2047\u000agithub.com/ory/x/prometheusx.(*MetricsManager).ServeHTTP\u000a\u0009/go/pkg/mod/github.com/ory/x@v0.0.344/prometheusx/middleware.go:30\u000agithub.com/urfave/negroni.middleware.ServeHTTP\u000a\u0009/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\u000agithub.com/ory/x/reqlog.(*Middleware).ServeHTTP\u000a\u0009/go/pkg/mod/github.com/ory/x@v0.0.344/reqlog/middleware.go:134\u000agithub.com/urfave/negroni.middleware.ServeHTTP\u000a\u0009/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38", "status":"Bad Request", "status_code":400 }, "file":"/project/x/errors.go:49", "func":"github.com/ory/hydra/x.LogError", "http_request":{ "headers":{ "accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "accept-encoding":"br, gzip, deflate", "accept-language":"en-US,en;q=0.9,sk-SK;q=0.8,sk;q=0.7,cs;q=0.6,de;q=0.5", "cache-control":"no-cache", "cookie":["oauth2_authentication_csrf=MTY0ODQ3NTUzN3xEdi1CQkFFQ180SUFBUkFCRUFBQVB2LUNBQUVHYzNSeWFXNW5EQVlBQkdOemNtWUdjM1J5YVc1bkRDSUFJR0V4TlRabVpEYzNNak15T0RRNVpXSTRNelE1TkdVM01tSTVNVFV6WXpjeHyjViWP3qFFMw-xAxHancVTuAMI0SBrfYcChc8HTx-8PA==; oauth2_authentication_session=MTY0ODQ3NTU0MXxEdi1CQkFFQ180SUFBUkFCRUFBQVFmLUNBQUVHYzNSeWFXNW5EQVVBQTNOcFpBWnpkSEpwYm1jTUpnQWtOVFV5T1RNeU9EUXRZakZoWVMwMFl6RTBMVGd4WW1RdE5EQmhZMlpoWlRNek1tSmh83-ynFPFZ1vIW3lNcweKknwSaaNJPzp_qRlnNi5ksjFM=; oauth2_consent_csrf=MTY0ODQ3NTU0MXxEdi1CQkFFQ180SUFBUkFCRUFBQVB2LUNBQUVHYzNSeWFXNW5EQVlBQkdOemNtWUdjM1J5YVc1bkRDSUFJR0kwWmpZNE1HRmhPVEk0TkRSbE1tWmhORE0xTVRsbE1UQTNaRGt4T1RFM3xTGTgssQCQ056gAIRptKHRLR3Fps1SuKovzpVcsX2fNQ==" ], "pragma":"no-cache", "referer":"https://localhost:4200/", "sec-ch-ua":"\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"99\", \"Google Chrome\";v=\"99\"", "sec-ch-ua-mobile":"?0", "sec-ch-ua-platform":"\"Windows\"", "sec-fetch-dest":"document", "sec-fetch-mode":"navigate", "sec-fetch-site":"same-site", "sec-fetch-user":"?1", "upgrade-insecure-requests":"1", "user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36" }, "host":"localhost:9000", "method":"GET", "path":"/oauth2/sessions/logout", "query":"id_token_hint=5LkjHjpL1ysnJjSveDtfx9MrFOhwLLTUzLdgdwoRMnU.oQzsAenV-DXIqk4UQPsx8D6b0feApmb_pTmtNbRdw4k&post_logout_redirect_uri=https%3A%2F%2Flocalhost%3A4200&state=b7586ea9f5cc4daf8ad9276d945e080a", "remote":"172.19.0.1:46460", "scheme":"https" }, "level":"error", "msg":"An error occurred", "service_name":"Ory Hydra", "service_version":"v1.11.7", "time":"2022-03-28T135251Z" }

Can you please add your full configuration ? • are you always using 127.0.0.1 or localhost? if you mix those -> error • please confirm that WSL does not act as some kind of proxy Further - and this is important - can you confirm you have a cookie named

oauth2_authentication_session

for the URL Ory Hydra is running on, and for the domain that's in your

http://.../oauth2/sessions/logout

Hi Vincent, thanks for answer! Here you are my config - docker command with setting environment variables: docker run -d --name ory-hydra-example--hydra --network hydraguide -p 9000:4444 -p 9001:4445 \ -e SECRETS_SYSTEM=this_needs_to_be_the_same_always_0A1DA5BC-50FD-49E8-A993-8C1DE7D8F6F1 \ -e DSN=postgres://hydra:secret@ory-hydra-example--postgres2:5432/hydra?sslmode=disable \ -e SERVE_TLS_CERT_BASE64="$(base64 -i /c/certificates/dotnet/localhost.crt)" \ -e SERVE_TLS_KEY_BASE64="$(base64 -i /c/certificates/dotnet/localhost.key)" \ -e LOG_FORMAT=json \ -e LOG_LEAK_SENSITIVE_VALUES=true \ -e LOG_LEVEL=trace \ -e OAUTH2_EXPOSE_INTERNAL_ERRORS=true \ -e OAUTH2_INCLUDE_LEGACY_ERROR_FIELDS=true \ -e SERVE_ADMIN_CORS_ALLOWED_HEADERS=Authorization,Content-Type \ -e SERVE_ADMIN_CORS_ALLOWED_ORIGINS=* \ -e SERVE_ADMIN_CORS_DEBUG=true \ -e SERVE_ADMIN_CORS_ENABLED=true \ -e SERVE_ADMIN_CORS_EXPOSED_HEADERS=Content-Type \ -e SERVE_ADMIN_CORS_OPTIONS_PASSTHROUGH=true \ -e SERVE_COOKIES_SAME_SITE_MODE=Lax \ -e SERVE_PUBLIC_CORS_ALLOWED_HEADERS=Authorization,Content-Type \ -e SERVE_PUBLIC_CORS_ALLOWED_ORIGINS=* \ -e SERVE_PUBLIC_CORS_DEBUG=true \ -e SERVE_PUBLIC_CORS_ENABLED=true \ -e SERVE_PUBLIC_CORS_EXPOSED_HEADERS=Content-Type \ -e TTL_ACCESS_TOKEN=1h \ -e URLS_CONSENT=https://localhost:9030/api/consent \ -e URLS_LOGIN=https://localhost:9030/api/login \ -e URLS_LOGOUT=https://localhost:9030/api/logout \ -e URLS_SELF_ISSUER=https://localhost:9000/ \ -e URLS_POST_LOGOUT_REDIRECT=https://localhost:4200/ \ -e OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=this_needs_to_be_the_same_always_0A1DA5BC-50FD-49E8-A993-8C1DE7D8F6F1 \ -e OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=pairwise,public \ oryd/hydra:v1.11.7-amd64 serve all I think I use always localhost. The true is that I do not know how WSL2 is accessed from inside running docker image. The cookie are also included in previously attached error log request. How can I confirm that requested cookies are OK or not?