Hi,
As per the documentation a call to GET /oauth2/sessions/logout
with the id_token_hint
parameter should initiate the logout flow. But, when I make that call, I only get a 302 response like this:
< HTTP/1.1 302 Found
< Content-Type: text/html; charset=utf-8
< Location: https://my-example.app/logout-successful
< Date: Thu, 07 May 2020 06:53:16 GMT
< Content-Length: 63
<
<a href="https://my-example.app/logout-successful">Found</a>.
As you can see, I don’t get a logout_challenge
. When I look into the id-token that was retrieved as part of the login flow, and presented to the logout endpoint, it’s not expired, and it contains a valid sid
attribute which I can also locate in the database tables (hydra_oauth2_access and hydra_oauth2_authentication_session). The oauth2 client app has default settings for backchannel and frontchannel logout, and I’m on the v1.3.2 release of Hydra.
So, what am I doing wrong here?