Hello, our kratos is setup in an environment with an identity access proxy to access the service. This proxy checks for an Authorization header, which is not removed afterwards. Most public kratos api calls work fine, such as /sessions/whoami (with Session in cookie), but /self-service/logout fails. If i call the same path without Authorization header, everything works fine again. So in our requests, both Authorization and Cookie header are present, but only the Cookie header should be considered by kratos tldr; depending on the API call, kratos seems to prioritise different headers to check for a session, or the logout is checking them all? Although in the code i could not immediately find a reference to this. It was pretty confusing to figure this out 😄 Right now I am using another solution to get around this problem but what is the intention with this in Kratos, or is this a bug?

Hello. I think extractToken source code might help you. Kratos tries to get the session token by the following order: 1. X-Session-Token header 2. X-Session-Cookie header 3. Cookie header 4. Authorization header

Hey @User Looks like when purging the http session, the order is different and the authorization header considered no matter what which means the logout url fails when an non-related authorization header is supplied