As per the documentation a call to
GET /oauth2/sessions/logout with the
id_token_hint parameter should initiate the logout flow. But, when I make that call, I only get a 302 response like this:
< HTTP/1.1 302 Found < Content-Type: text/html; charset=utf-8 < Location: https://my-example.app/logout-successful < Date: Thu, 07 May 2020 06:53:16 GMT < Content-Length: 63 < <a href="https://my-example.app/logout-successful">Found</a>.
As you can see, I don’t get a
logout_challenge. When I look into the id-token that was retrieved as part of the login flow, and presented to the logout endpoint, it’s not expired, and it contains a valid
sid attribute which I can also locate in the database tables (hydra_oauth2_access and hydra_oauth2_authentication_session). The oauth2 client app has default settings for backchannel and frontchannel logout, and I’m on the v1.3.2 release of Hydra.
So, what am I doing wrong here?