How to use post_logout_redirect_uris param to logout in PKCE mode

jacky-neo · October 16, 2020, 10:06am

my client as below. when I invoke hydra public endpoint “/oauth2/sessions/logout”, I get fail info:

*Error: invalid_request*

Description: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed*
Hint: Logout failed because query parameter post_logout_redirect_uri is set but id_token_hint is missing*
Debug:*

I add id_token_hint=id_token, I get fail info:

*Error: invalid_request*

Description: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed*
Hint: token contains an invalid number of segments*
Debug:*

How can I do?

{

        "client_id": "id_pkce",

        "client_name": "",

        "redirect_uris": [

            "http://localhost:8080/auth/"

        ],

        "grant_types": [

            "authorization_code",

            "refresh_token"

        ],

        "response_types": [

            "code",

            "id_token"

        ],

        "scope": "openid offline first_party",

        "audience": [],

        "owner": "",

        "policy_uri": "",

        "allowed_cors_origins": [

            "http://localhost:8080"

        ],

        "tos_uri": "",

        "client_uri": "",

        "logo_uri": "",

        "contacts": [],

        "client_secret_expires_at": 0,

        "subject_type": "public",

        "jwks": {},

        "token_endpoint_auth_method": "none",

        "userinfo_signed_response_alg": "none",

        "created_at": "2020-10-16T04:57:04Z",

        "updated_at": "2020-10-16T04:57:04Z",

        "post_logout_redirect_uris": [

            "http://localhost:8080"

        ],

        "metadata": {}

    }

hackerman · October 16, 2020, 11:47am

You need to set an actual ID Token, which is a JSON Web Token or rather an OpenID Connect ID Token, not the string id_token.

jacky-neo · October 19, 2020, 5:00am

Sorry to reploy later for rest day. How can I get openID Connectt ID token? use /userinfo to get? I tried value of token, sid, sub or userid. But I get same error as ‘id_token’. Could you give more tips. Thank you so much！

hackerman · October 19, 2020, 12:04pm

I recommend watching:

jacky-neo · October 20, 2020, 6:16am

Thx. I missed scope ‘openid’ when submit ‘/oauth2/auth’. After I added it, I got id_token value from ‘/auth2/token’. I used id_token as id_token_hint in logout. The error is resolved. But I get another info. If I set env ‘URLS_POST_LOGOUT_REDIRECT’ following info, the info is disappear. But browser redirect as env not the value of ‘post_logout_redirect_uris’. My hydra version 1.5. Pls give more suggestion.

 The Default Post Logout URL is not set which is why you are seeing this fallback page. Your log out request however succeeded.

You are seeing this page because configuration key urls.post_logout_redirect is not set.

If you are an administrator, please read the guide to understand what you need to do. If you are a user, please contact the administrator.

I hope it will do as the following:

The post_logout_redirect defaults to the configuration value of urls.post_logout_redirect. If a post_logout_redirect_uri was set and that URL is in the array of the OAuth2 Client's urls.post_logout_redirect, the browser will be redirected there instead.

jacky-neo · October 28, 2020, 9:27am

I read logout flow of hydra again and find that I need append a query param ‘post_logout_redirect_uri’. Its value is in array called ‘post_logout_redirect_uris’ of client. Now I resolved the issue at last.