Preflight checklist
Describe the bug
Ory Hydra doesn't wait for any back-channel requests sent to the RP to finish before logging out the user. Consequently, Hydra finishes the logout before all clients have properly handled the logout handling. This can cause issues if the back-channel logout handling is slow at the RP. For example, if the end-user accesses the RP after successful logout but before the logout handling is finished at the RP, the end-user is expected to be logged out but is not.
This behavior can be seen from the following line:
I realize that the current behavior is a trade-off between speed and robustness. For the current behavior, the logout is a little faster since the end-user doesn't have to wait for back-channel logouts to finish. But I would argue that robustness is more important in this case since the speed win is marginal.
I have tried to find any guiding in the OIDC specification regarding if the OP should wait for the back-channel logouts to finish or not before responding a successful logout. But have failed to find any. So it seems that this is up to the implementation to decide.
Reproducing the bug
- Setup an RP by creating OIDC client with back-channel logout. The client post_redirect uri must point to the RP.
- Setup the RP so the handling of the back-channel logout hook is slow.
- Login
- Logout
- Access the RP fast, before the slow handling of the backchannel-logout is finished.
- The user is not logged out from the RP, but should be.
Relevant log output
No response
Relevant configuration
No response
Version
2.12
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Kubernetes with Helm
Additional Context
No response
Preflight checklist
Describe the bug
Ory Hydra doesn't wait for any back-channel requests sent to the RP to finish before logging out the user. Consequently, Hydra finishes the logout before all clients have properly handled the logout handling. This can cause issues if the back-channel logout handling is slow at the RP. For example, if the end-user accesses the RP after successful logout but before the logout handling is finished at the RP, the end-user is expected to be logged out but is not.
This behavior can be seen from the following line:
hydra/consent/strategy_default.go
Line 708 in be6e005
I realize that the current behavior is a trade-off between speed and robustness. For the current behavior, the logout is a little faster since the end-user doesn't have to wait for back-channel logouts to finish. But I would argue that robustness is more important in this case since the speed win is marginal.
I have tried to find any guiding in the OIDC specification regarding if the OP should wait for the back-channel logouts to finish or not before responding a successful logout. But have failed to find any. So it seems that this is up to the implementation to decide.
Reproducing the bug
Relevant log output
No response
Relevant configuration
No response
Version
2.12
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Kubernetes with Helm
Additional Context
No response