-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing logout_challenge query parameter on logout redirect #1635
Comments
Seems like you're hitting something similar to: #1634 While it's ok to obfuscate things (like the ID token or the hosts) that makes it insanely difficult to debug. |
Apologies. Token pasted below. In this case I was expecting a logout_challenge parameter to be sent as per https://www.ory.sh/docs/next/hydra/implementing-consent#logout However it is not sent to the redirect specified in the config. the redirect actually has the state and the id_token_hit query parameters. Whereas I can extract the id from the id_token_hint (which is the id token of the openid connect spec), I thought I would be able to get the logout_challenge and use it via the admin api to retrieve the logout request details: AdminApi.getLogoutRequest(logout_challenge). Here is the token |
We've hat several reports in the past regarding this functionality, it always boiled down to misconfiguration or misunderstanding how the flow works. Therefore, I've updated the docs:
Please read them, you will probably find the problem easily. It typically boils down to:
Unless you find more concrete proof of a bug (unlikely because the symptoms definitely speak for something of the list above), this will be closed. Please also read #1634 - it has several examples of what can go wrong. |
Thanks! I discovered that we are not setting remember to true. I will close this issue now. |
For request 'GET /hydra/logout?state=somelongvalue' [Missing parameter: logout_challenge]
Hydra version: 1.0.9
Environment: docker using image tagged "latest"
Config:
name: OIDC_SUBJECT_IDENTIFIERS_ENABLED
value: public
value: jwt
value: https://xxxxx
value: https://xxx/hydra/consent
value: https://xxxx/hydra/login
value: https:/xxxx/hydra/logout
value: memory
value: xxxxx
value: public,pairwise
value: xxxxx
Client setup:
hydra.exe clients create --skip-tls-verify --endpoint https:/xxxx:xxx --id "auth-id" -r token,id_token,code,"token id_token" -g implicit -a xxxx --callbacks https://www.getpostman.com/oauth2/callback,https://xxxxx/hydra/logout -a openid,offline --post-logout-callbacks https://xxxxx/hydra/logout
Request:
https://xxxx/oauth2/sessions/logout?post_logout_redirect_uri=https://xxxxx/hydra/logout&state=somelongvalue&id_token_hint=theidtoken
Logs:
time="2019-11-11T10:57:15Z" level=info msg="completed handling request" measure#hydra/public: https://xxxxx/.latency=856337 method=GET remote="xxxxx" request="/oauth2/sessions/logout?post_logout_redirect_uri=https://xxxxx/hydra/logout&state=somelongvalue&id_token_hint=theidtoken status=302 text_status=Found took="856.337µs"
The text was updated successfully, but these errors were encountered: