Open
Description
When doing logout from a client app this is the flow happening:
- Logout from the app: https://hydra.server/oauth2/sessions/logout
- Hydra calls mokey: https://mokey.server/auth/logout (with a post_logout_redirect). Here Hydra expects a flow as is setting a logout_challenge parameter on url (as stated in the documentation: https://www.ory.sh/hydra/docs/concepts/logout/)
- Looking at the code, mokey doesn't follow that flow and seems to just revoke Hydra authentication: and after that just redirects to /auth/login
Line 90 in 04fcefd
but, as it has no login_challenge as when it comes from an app, it will not follow the OpenID flow to the app again.Line 99 in 04fcefd
As stated on hydra documentation, there is a flow and there is a post_logout_redirect_uri where the user should be redirected after logout (and also an optional logout consent page). As I understand mokey should get that post redirect parameter from the logout flow from hydra and in the end redirect there (to the app), so when the user wants to log in again, the app will redirect with the login_challenge parameter from hydra (login flow).
Is the logout flow missing in mokey? Or am I misunderstanding the OpenID logout flow?